From 285b0b94cea72541ac4e3cddc632ea86b62919cc Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Wed, 16 Aug 2023 16:29:42 +0530 Subject: [PATCH 01/28] context.tf updated --- context.tf | 75 +++++++++++++++++++++++++----------------------------- 1 file changed, 35 insertions(+), 40 deletions(-) diff --git a/context.tf b/context.tf index 5e0ef885..8e030a9f 100644 --- a/context.tf +++ b/context.tf @@ -1,15 +1,7 @@ # -# ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label +# ONLY EDIT THIS FILE IN https://github.com/studiographene/terraform-null-sg-label/blob/main/exports/ # All other instances of this file should be a copy of that one # -# -# Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf -# and then place it in your Terraform module to automatically get -# Cloud Posse's standard configuration inputs suitable for passing -# to Cloud Posse modules. -# -# curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf -# # Modules should access the whole context as `module.this.context` # to get the input variables with nulls for defaults, # for example `context = module.this.context`, @@ -21,15 +13,14 @@ # module "this" { - source = "cloudposse/label/null" - version = "0.25.0" # requires Terraform >= 0.13.0 + source = "app.terraform.io/studiographene/sg-label/null" + version = "1.0.4" enabled = var.enabled - namespace = var.namespace - tenant = var.tenant + project_name = var.project_name + aws_estate = var.aws_estate environment = var.environment stage = var.stage - name = var.name delimiter = var.delimiter attributes = var.attributes tags = var.tags @@ -41,21 +32,20 @@ module "this" { label_value_case = var.label_value_case descriptor_formats = var.descriptor_formats labels_as_tags = var.labels_as_tags + name = var.name + namespace = var.namespace context = var.context } -# Copy contents of cloudposse/terraform-null-label/variables.tf here - variable "context" { type = any default = { enabled = true - namespace = null - tenant = null + project_name = null + aws_estate = null environment = null stage = null - name = null delimiter = null attributes = [] tags = {} @@ -74,6 +64,8 @@ variable "context" { # by setting `labels_as_tags` to `[]`, so we need # a different sentinel to indicate "default" labels_as_tags = ["unset"] + name = null + namespace = null } description = <<-EOT Single object for setting entire context at once. @@ -100,22 +92,22 @@ variable "enabled" { description = "Set to false to prevent the module from creating any resources" } -variable "namespace" { +variable "project_name" { type = string default = null - description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique" + description = "ID element. Usually an abbreviation of project or brand name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique" } -variable "tenant" { +variable "aws_estate" { type = string default = null - description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for" + description = "ID element _(Rarely used, not included by default)_. An AWS account identifier" } variable "environment" { type = string default = null - description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'" + description = "ID element. Usually used for role 'prod', 'staging', 'dev', 'UAT', OR region e.g. 'uw2', 'us-west-2'" } variable "stage" { @@ -124,22 +116,12 @@ variable "stage" { description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'" } -variable "name" { - type = string - default = null - description = <<-EOT - ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. - This is the only ID element not also included as a `tag`. - The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. - EOT -} - variable "delimiter" { type = string default = null description = <<-EOT - Delimiter to be used between ID elements. - Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. + Delimiter to be used between ID elements. Set to `""` to use no delimiter at all. + Default = "-" (hyphen). EOT } @@ -163,7 +145,6 @@ variable "labels_as_tags" { Tags with empty values will not be included in the `tags` output. Set to `[]` to suppress all generated tags. **Notes:** - The value of the `name` tag, if included, will be the `id`, not the `name`. Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be changed in later chained modules. Attempts to change it will be silently ignored. EOT @@ -193,8 +174,8 @@ variable "label_order" { default = null description = <<-EOT The order in which the labels (ID elements) appear in the `id`. - Defaults to ["namespace", "environment", "stage", "name", "attributes"]. - You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. + Defaults to ["project_name", "aws_estate", "environment", "stage", "attributes"]. + You can omit any of the 5 labels, but at least one must be present. EOT } @@ -276,4 +257,18 @@ variable "descriptor_formats" { EOT } -#### End of copy of cloudposse/terraform-null-label/variables.tf +variable "name" { + type = string + default = null + description = <<-EOT + ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. + This is the only ID element not also included as a `tag`. + The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. + EOT +} + +variable "namespace" { + type = string + default = null + description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique" +} From ae147db56270b1156c853031921d4247f12b28c9 Mon Sep 17 00:00:00 2001 From: Mohankumar-studiographene Date: Wed, 16 Aug 2023 17:34:35 +0530 Subject: [PATCH 02/28] Deprecated variables updated --- README.md | 397 +++++++++++++++++--------------------- examples/complete/main.tf | 2 +- main.tf | 52 ++--- security_group_inputs.tf | 111 ----------- variables-deprecated.tf | 60 ------ variables.tf | 92 +++++++++ 6 files changed, 289 insertions(+), 425 deletions(-) delete mode 100644 variables-deprecated.tf diff --git a/README.md b/README.md index 7a773666..bc092b2f 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ - + # terraform-aws-elasticache-redis [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-elasticache-redis.svg)](https://github.com/cloudposse/terraform-aws-elasticache-redis/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) + [![README Header][readme_header_img]][readme_header_link] @@ -40,48 +41,31 @@ This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops) [][share_linkedin] [][share_twitter] - [![Terraform Open Source Modules](https://docs.cloudposse.com/images/terraform-open-source-modules.svg)][terraform_modules] - - It's 100% Open Source and licensed under the [APACHE2](LICENSE). - - - - - - -We literally have [*hundreds of terraform modules*][terraform_modules] that are Open Source and well-maintained. Check them out! - - - - - +We literally have [_hundreds of terraform modules_][terraform_modules] that are Open Source and well-maintained. Check them out! ## Security & Compliance [](https://bridgecrew.io/) Security scanning is graciously provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance. -| Benchmark | Description | -|--------|---------------| -| [![Infrastructure Security](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/general)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=INFRASTRUCTURE+SECURITY) | Infrastructure Security Compliance | -| [![CIS KUBERNETES](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/cis_kubernetes)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=CIS+KUBERNETES+V1.5) | Center for Internet Security, KUBERNETES Compliance | -| [![CIS AWS](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/cis_aws)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=CIS+AWS+V1.2) | Center for Internet Security, AWS Compliance | -| [![CIS AZURE](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/cis_azure)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=CIS+AZURE+V1.1) | Center for Internet Security, AZURE Compliance | -| [![PCI-DSS](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/pci)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=PCI-DSS+V3.2) | Payment Card Industry Data Security Standards Compliance | -| [![NIST-800-53](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/nist)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=NIST-800-53) | National Institute of Standards and Technology Compliance | -| [![ISO27001](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/iso)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=ISO27001) | Information Security Management System, ISO/IEC 27001 Compliance | -| [![SOC2](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/soc2)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=SOC2)| Service Organization Control 2 Compliance | -| [![CIS GCP](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/cis_gcp)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=CIS+GCP+V1.1) | Center for Internet Security, GCP Compliance | -| [![HIPAA](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/hipaa)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=HIPAA) | Health Insurance Portability and Accountability Compliance | - - +| Benchmark | Description | +| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | +| [![Infrastructure Security](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/general)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=INFRASTRUCTURE+SECURITY) | Infrastructure Security Compliance | +| [![CIS KUBERNETES](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/cis_kubernetes)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=CIS+KUBERNETES+V1.5) | Center for Internet Security, KUBERNETES Compliance | +| [![CIS AWS](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/cis_aws)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=CIS+AWS+V1.2) | Center for Internet Security, AWS Compliance | +| [![CIS AZURE](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/cis_azure)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=CIS+AZURE+V1.1) | Center for Internet Security, AZURE Compliance | +| [![PCI-DSS](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/pci)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=PCI-DSS+V3.2) | Payment Card Industry Data Security Standards Compliance | +| [![NIST-800-53](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/nist)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=NIST-800-53) | National Institute of Standards and Technology Compliance | +| [![ISO27001](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/iso)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=ISO27001) | Information Security Management System, ISO/IEC 27001 Compliance | +| [![SOC2](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/soc2)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=SOC2) | Service Organization Control 2 Compliance | +| [![CIS GCP](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/cis_gcp)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=CIS+GCP+V1.1) | Center for Internet Security, GCP Compliance | +| [![HIPAA](https://www.bridgecrew.cloud/badges/github/cloudposse/terraform-aws-elasticache-redis/hipaa)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=cloudposse%2Fterraform-aws-elasticache-redis&benchmark=HIPAA) | Health Insurance Portability and Accountability Compliance | ## Usage - **IMPORTANT:** We do not pin modules to versions in our examples because of the difficulty of keeping the versions in the documentation in sync with the latest released versions. We highly recommend that in your code you pin the version to the exact version you are @@ -92,7 +76,6 @@ Also, because of a bug in the Terraform registry ([hashicorp/terraform#21417](ht the registry shows many of our inputs as required when in fact they are optional. The table below correctly indicates which inputs are required. - _**Disruptive changes introduced at version 0.41.0**. If upgrading from an earlier version, see [migration notes](https://github.com/cloudposse/terraform-aws-elasticache-redis/blob/master/docs/migration-notes-0.41.0.md) for details._ @@ -187,17 +170,14 @@ module "redis" { } ``` - - - ## Examples Review the [complete example](examples/complete) to see how to use this module. - - + ## Makefile Targets + ```text Available targets: @@ -207,136 +187,132 @@ Available targets: lint Lint terraform code ``` + + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.3 | -| [aws](#requirement\_aws) | >= 4.18 | +| Name | Version | +| ------------------------------------------------------------------------ | ------- | +| [terraform](#requirement_terraform) | >= 1.3 | +| [aws](#requirement_aws) | >= 4.18 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.18 | +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | >= 4.18 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [aws\_security\_group](#module\_aws\_security\_group) | cloudposse/security-group/aws | 1.0.1 | -| [dns](#module\_dns) | cloudposse/route53-cluster-hostname/aws | 0.12.2 | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| ----------------------------------------------------------------------------------------- | --------------------------------------- | ------- | +| [aws_security_group](#module_aws_security_group) | cloudposse/security-group/aws | 1.0.1 | +| [dns](#module_dns) | cloudposse/route53-cluster-hostname/aws | 0.12.2 | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -|------|------| -| [aws_cloudwatch_metric_alarm.cache_cpu](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | -| [aws_cloudwatch_metric_alarm.cache_memory](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | -| [aws_elasticache_parameter_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_parameter_group) | resource | +| Name | Type | +| ------------------------------------------------------------------------------------------------------------------------------------------------------ | -------- | +| [aws_cloudwatch_metric_alarm.cache_cpu](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | +| [aws_cloudwatch_metric_alarm.cache_memory](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | +| [aws_elasticache_parameter_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_parameter_group) | resource | | [aws_elasticache_replication_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group) | resource | -| [aws_elasticache_subnet_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_subnet_group) | resource | +| [aws_elasticache_subnet_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_subnet_group) | resource | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_security\_group\_rules](#input\_additional\_security\_group\_rules) | A list of Security Group rule objects to add to the created security group, in addition to the ones
this module normally creates. (To suppress the module's rules, set `create_security_group` to false
and supply your own security group via `associated_security_group_ids`.)
The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except
for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time.
To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . | `list(any)` | `[]` | no | -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [alarm\_actions](#input\_alarm\_actions) | Alarm action list | `list(string)` | `[]` | no | -| [alarm\_cpu\_threshold\_percent](#input\_alarm\_cpu\_threshold\_percent) | CPU threshold alarm level | `number` | `75` | no | -| [alarm\_memory\_threshold\_bytes](#input\_alarm\_memory\_threshold\_bytes) | Ram threshold alarm level | `number` | `10000000` | no | -| [allow\_all\_egress](#input\_allow\_all\_egress) | If `true`, the created security group will allow egress on all ports and protocols to all IP address.
If this is false and no egress rules are otherwise specified, then no egress will be allowed.
Defaults to `true` unless the deprecated `egress_cidr_blocks` is provided and is not `["0.0.0.0/0"]`, in which case defaults to `false`. | `bool` | `null` | no | -| [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | DEPRECATED: Use `additional_security_group_rules` instead.
Historical description: List of CIDR blocks that are allowed ingress to the cluster's Security Group created in the module | `list(string)` | `[]` | no | -| [allowed\_security\_group\_ids](#input\_allowed\_security\_group\_ids) | A list of IDs of Security Groups to allow access to the security group created by this module. | `list(string)` | `[]` | no | -| [allowed\_security\_groups](#input\_allowed\_security\_groups) | DEPRECATED: Use `allowed_security_group_ids` instead. | `list(string)` | `[]` | no | -| [apply\_immediately](#input\_apply\_immediately) | Apply changes immediately | `bool` | `true` | no | -| [associated\_security\_group\_ids](#input\_associated\_security\_group\_ids) | A list of IDs of Security Groups to associate the created resource with, in addition to the created security group.
These security groups will not be modified and, if `create_security_group` is `false`, must provide all the required access. | `list(string)` | `[]` | no | -| [at\_rest\_encryption\_enabled](#input\_at\_rest\_encryption\_enabled) | Enable encryption at rest | `bool` | `false` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [auth\_token](#input\_auth\_token) | Auth token for password protecting redis, `transit_encryption_enabled` must be set to `true`. Password must be longer than 16 chars | `string` | `null` | no | -| [auto\_minor\_version\_upgrade](#input\_auto\_minor\_version\_upgrade) | Specifies whether minor version engine upgrades will be applied automatically to the underlying Cache Cluster instances during the maintenance window. Only supported if the engine version is 6 or higher. | `bool` | `null` | no | -| [automatic\_failover\_enabled](#input\_automatic\_failover\_enabled) | Automatic failover (Not available for T1/T2 instances) | `bool` | `false` | no | -| [availability\_zones](#input\_availability\_zones) | Availability zone IDs | `list(string)` | `[]` | no | -| [cloudwatch\_metric\_alarms\_enabled](#input\_cloudwatch\_metric\_alarms\_enabled) | Boolean flag to enable/disable CloudWatch metrics alarms | `bool` | `false` | no | -| [cluster\_mode\_enabled](#input\_cluster\_mode\_enabled) | Flag to enable/disable creation of a native redis cluster. `automatic_failover_enabled` must be set to `true`. Only 1 `cluster_mode` block is allowed | `bool` | `false` | no | -| [cluster\_mode\_num\_node\_groups](#input\_cluster\_mode\_num\_node\_groups) | Number of node groups (shards) for this Redis replication group. Changing this number will trigger an online resizing operation before other settings modifications | `number` | `0` | no | -| [cluster\_mode\_replicas\_per\_node\_group](#input\_cluster\_mode\_replicas\_per\_node\_group) | Number of replica nodes in each node group. Valid values are 0 to 5. Changing this number will force a new resource | `number` | `0` | no | -| [cluster\_size](#input\_cluster\_size) | Number of nodes in cluster. *Ignored when `cluster_mode_enabled` == `true`* | `number` | `1` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | -| [create\_security\_group](#input\_create\_security\_group) | Set `true` to create and configure a new security group. If false, `associated_security_group_ids` must be provided. | `bool` | `true` | no | -| [data\_tiering\_enabled](#input\_data\_tiering\_enabled) | Enables data tiering. Data tiering is only supported for replication groups using the r6gd node type. | `bool` | `false` | no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [description](#input\_description) | Description of elasticache replication group | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [dns\_subdomain](#input\_dns\_subdomain) | The subdomain to use for the CNAME record. If not provided then the CNAME record will use var.name. | `string` | `""` | no | -| [egress\_cidr\_blocks](#input\_egress\_cidr\_blocks) | DEPRECATED: Use `allow_all_egress` and `additional_security_group_rules` instead.
Historical description: Outbound traffic address.
Historical default: ["0.0.0.0/0"] | `list(any)` | `null` | no | -| [elasticache\_subnet\_group\_name](#input\_elasticache\_subnet\_group\_name) | Subnet group name for the ElastiCache instance | `string` | `""` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [engine\_version](#input\_engine\_version) | Redis engine version | `string` | `"4.0.10"` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [existing\_security\_groups](#input\_existing\_security\_groups) | DEPRECATED: Use `associated_security_group_ids` instead.
Historical description: List of existing Security Group IDs to place the cluster into.
Set `use_existing_security_groups` to `true` to enable using `existing_security_groups` as Security Groups for the cluster. | `list(string)` | `[]` | no | -| [family](#input\_family) | Redis family | `string` | `"redis4.0"` | no | -| [final\_snapshot\_identifier](#input\_final\_snapshot\_identifier) | The name of your final node group (shard) snapshot. ElastiCache creates the snapshot from the primary node in the cluster. If omitted, no final snapshot will be made. | `string` | `null` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [instance\_type](#input\_instance\_type) | Elastic cache instance type | `string` | `"cache.t2.micro"` | no | -| [kms\_key\_id](#input\_kms\_key\_id) | The ARN of the key that you wish to use if encrypting at rest. If not supplied, uses service managed encryption. `at_rest_encryption_enabled` must be set to `true` | `string` | `null` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
  "default"
]
| no | -| [log\_delivery\_configuration](#input\_log\_delivery\_configuration) | The log\_delivery\_configuration block allows the streaming of Redis SLOWLOG or Redis Engine Log to CloudWatch Logs or Kinesis Data Firehose. Max of 2 blocks. | `list(map(any))` | `[]` | no | -| [maintenance\_window](#input\_maintenance\_window) | Maintenance window | `string` | `"wed:03:00-wed:04:00"` | no | -| [multi\_az\_enabled](#input\_multi\_az\_enabled) | Multi AZ (Automatic Failover must also be enabled. If Cluster Mode is enabled, Multi AZ is on by default, and this setting is ignored) | `bool` | `false` | no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [notification\_topic\_arn](#input\_notification\_topic\_arn) | Notification topic arn | `string` | `""` | no | -| [ok\_actions](#input\_ok\_actions) | The list of actions to execute when this alarm transitions into an OK state from any other state. Each action is specified as an Amazon Resource Number (ARN) | `list(string)` | `[]` | no | -| [parameter](#input\_parameter) | A list of Redis parameters to apply. Note that parameters may differ from one Redis family to another | 
list(object({
    name  = string
    value = string
  }))
| `[]` | no | -| [parameter\_group\_description](#input\_parameter\_group\_description) | Managed by Terraform | `string` | `null` | no | -| [port](#input\_port) | Redis port | `number` | `6379` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [replication\_group\_id](#input\_replication\_group\_id) | Replication group ID with the following constraints:
A name must contain from 1 to 20 alphanumeric characters or hyphens.
The first character must be a letter.
A name cannot end with a hyphen or contain two consecutive hyphens. | `string` | `""` | no | -| [security\_group\_create\_before\_destroy](#input\_security\_group\_create\_before\_destroy) | Set `true` to enable Terraform `create_before_destroy` behavior on the created security group.
We only recommend setting this `false` if you are upgrading this module and need to keep
the existing security group from being replaced.
Note that changing this value will always cause the security group to be replaced. | `bool` | `true` | no | -| [security\_group\_create\_timeout](#input\_security\_group\_create\_timeout) | How long to wait for the security group to be created. | `string` | `"10m"` | no | -| [security\_group\_delete\_timeout](#input\_security\_group\_delete\_timeout) | How long to retry on `DependencyViolation` errors during security group deletion. | `string` | `"15m"` | no | -| [security\_group\_description](#input\_security\_group\_description) | The description to assign to the created Security Group.
Warning: Changing the description causes the security group to be replaced.
Set this to `null` to maintain parity with releases <= `0.34.0`. | `string` | `"Security group for Elasticache Redis"` | no | -| [security\_group\_name](#input\_security\_group\_name) | The name to assign to the created security group. Must be unique within the VPC.
If not provided, will be derived from the `null-label.context` passed in.
If `create_before_destroy` is true, will be used as a name prefix. | `list(string)` | `[]` | no | -| [snapshot\_arns](#input\_snapshot\_arns) | A single-element string list containing an Amazon Resource Name (ARN) of a Redis RDB snapshot file stored in Amazon S3. Example: arn:aws:s3:::my\_bucket/snapshot1.rdb | `list(string)` | `[]` | no | -| [snapshot\_name](#input\_snapshot\_name) | The name of a snapshot from which to restore data into the new node group. Changing the snapshot\_name forces a new resource. | `string` | `null` | no | -| [snapshot\_retention\_limit](#input\_snapshot\_retention\_limit) | The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. | `number` | `0` | no | -| [snapshot\_window](#input\_snapshot\_window) | The daily time range (in UTC) during which ElastiCache will begin taking a daily snapshot of your cache cluster. | `string` | `"06:30-07:30"` | no | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [subnets](#input\_subnets) | Subnet IDs | `list(string)` | `[]` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [transit\_encryption\_enabled](#input\_transit\_encryption\_enabled) | Set `true` to enable encryption in transit. Forced `true` if `var.auth_token` is set.
If this is enabled, use the [following guide](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls) to access redis. | `bool` | `true` | no | -| [use\_existing\_security\_groups](#input\_use\_existing\_security\_groups) | DEPRECATED: Use `create_security_group` instead.
Historical description: Flag to enable/disable creation of Security Group in the module.
Set to `true` to disable Security Group creation and provide a list of existing security Group IDs in `existing_security_groups` to place the cluster into.
Historical default: `false` | `bool` | `null` | no | -| [user\_group\_ids](#input\_user\_group\_ids) | User Group ID to associate with the replication group | `list(string)` | `null` | no | -| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes | -| [zone\_id](#input\_zone\_id) | Route53 DNS Zone ID as list of string (0 or 1 items). If empty, no custom DNS name will be published.
If the list contains a single Zone ID, a custom DNS name will be pulished in that zone.
Can also be a plain string, but that use is DEPRECATED because of Terraform issues. | `any` | `[]` | no | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [additional_security_group_rules](#input_additional_security_group_rules) | A list of Security Group rule objects to add to the created security group, in addition to the ones
this module normally creates. (To suppress the module's rules, set `create_security_group` to false
and supply your own security group via `associated_security_group_ids`.)
The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except
for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time.
To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . | `list(any)` | `[]` | no | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [alarm_actions](#input_alarm_actions) | Alarm action list | `list(string)` | `[]` | no | +| [alarm_cpu_threshold_percent](#input_alarm_cpu_threshold_percent) | CPU threshold alarm level | `number` | `75` | no | +| [alarm_memory_threshold_bytes](#input_alarm_memory_threshold_bytes) | Ram threshold alarm level | `number` | `10000000` | no | +| [allow_all_egress](#input_allow_all_egress) | If `true`, the created security group will allow egress on all ports and protocols to all IP address.
If this is false and no egress rules are otherwise specified, then no egress will be allowed.
Defaults to `true`. | `bool` | `null` | no | +| [allowed_security_group_ids](#input_allowed_security_group_ids) | A list of IDs of Security Groups to allow access to the security group created by this module. | `list(string)` | `[]` | no | +| [apply_immediately](#input_apply_immediately) | Apply changes immediately | `bool` | `true` | no | +| [associated_security_group_ids](#input_associated_security_group_ids) | A list of IDs of Security Groups to associate the created resource with, in addition to the created security group.
These security groups will not be modified and, if `create_security_group` is `false`, must provide all the required access. | `list(string)` | `[]` | no | +| [at_rest_encryption_enabled](#input_at_rest_encryption_enabled) | Enable encryption at rest | `bool` | `false` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [auth_token](#input_auth_token) | Auth token for password protecting redis, `transit_encryption_enabled` must be set to `true`. Password must be longer than 16 chars | `string` | `null` | no | +| [auto_minor_version_upgrade](#input_auto_minor_version_upgrade) | Specifies whether minor version engine upgrades will be applied automatically to the underlying Cache Cluster instances during the maintenance window. Only supported if the engine version is 6 or higher. | `bool` | `null` | no | +| [automatic_failover_enabled](#input_automatic_failover_enabled) | Automatic failover (Not available for T1/T2 instances) | `bool` | `false` | no | +| [availability_zones](#input_availability_zones) | Availability zone IDs | `list(string)` | `[]` | no | +| [cloudwatch_metric_alarms_enabled](#input_cloudwatch_metric_alarms_enabled) | Boolean flag to enable/disable CloudWatch metrics alarms | `bool` | `false` | no | +| [cluster_mode_enabled](#input_cluster_mode_enabled) | Flag to enable/disable creation of a native redis cluster. `automatic_failover_enabled` must be set to `true`. Only 1 `cluster_mode` block is allowed | `bool` | `false` | no | +| [cluster_mode_num_node_groups](#input_cluster_mode_num_node_groups) | Number of node groups (shards) for this Redis replication group. Changing this number will trigger an online resizing operation before other settings modifications | `number` | `0` | no | +| [cluster_mode_replicas_per_node_group](#input_cluster_mode_replicas_per_node_group) | Number of replica nodes in each node group. Valid values are 0 to 5. Changing this number will force a new resource | `number` | `0` | no | +| [cluster_size](#input_cluster_size) | Number of nodes in cluster. _Ignored when `cluster_mode_enabled` == `true`_ | `number` | `1` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` | 
{
 "additional_tag_map": {},
 "attributes": [],
 "delimiter": null,
 "descriptor_formats": {},
 "enabled": true,
 "environment": null,
 "id_length_limit": null,
 "label_key_case": null,
 "label_order": [],
 "label_value_case": null,
 "labels_as_tags": [
 "unset"
 ],
 "name": null,
 "namespace": null,
 "regex_replace_chars": null,
 "stage": null,
 "tags": {},
 "tenant": null
}
| no | +| [create_security_group](#input_create_security_group) | Set `true` to create and configure a new security group. If false, `associated_security_group_ids` must be provided. | `bool` | `true` | no | +| [data_tiering_enabled](#input_data_tiering_enabled) | Enables data tiering. Data tiering is only supported for replication groups using the r6gd node type. | `bool` | `false` | no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [description](#input_description) | Description of elasticache replication group | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [dns_subdomain](#input_dns_subdomain) | The subdomain to use for the CNAME record. If not provided then the CNAME record will use var.name. | `string` | `""` | no | +| [elasticache_subnet_group_name](#input_elasticache_subnet_group_name) | Subnet group name for the ElastiCache instance | `string` | `""` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [engine_version](#input_engine_version) | Redis engine version | `string` | `"4.0.10"` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [family](#input_family) | Redis family | `string` | `"redis4.0"` | no | +| [final_snapshot_identifier](#input_final_snapshot_identifier) | The name of your final node group (shard) snapshot. ElastiCache creates the snapshot from the primary node in the cluster. If omitted, no final snapshot will be made. | `string` | `null` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [instance_type](#input_instance_type) | Elastic cache instance type | `string` | `"cache.t2.micro"` | no | +| [kms_key_id](#input_kms_key_id) | The ARN of the key that you wish to use if encrypting at rest. If not supplied, uses service managed encryption. `at_rest_encryption_enabled` must be set to `true` | `string` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
 "default"
]
| no | +| [log_delivery_configuration](#input_log_delivery_configuration) | The log_delivery_configuration block allows the streaming of Redis SLOWLOG or Redis Engine Log to CloudWatch Logs or Kinesis Data Firehose. Max of 2 blocks. | `list(map(any))` | `[]` | no | +| [maintenance_window](#input_maintenance_window) | Maintenance window | `string` | `"wed:03:00-wed:04:00"` | no | +| [multi_az_enabled](#input_multi_az_enabled) | Multi AZ (Automatic Failover must also be enabled. If Cluster Mode is enabled, Multi AZ is on by default, and this setting is ignored) | `bool` | `false` | no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [notification_topic_arn](#input_notification_topic_arn) | Notification topic arn | `string` | `""` | no | +| [ok_actions](#input_ok_actions) | The list of actions to execute when this alarm transitions into an OK state from any other state. Each action is specified as an Amazon Resource Number (ARN) | `list(string)` | `[]` | no | +| [parameter](#input_parameter) | A list of Redis parameters to apply. Note that parameters may differ from one Redis family to another | 
list(object({
 name = string
 value = string
 }))
| `[]` | no | +| [parameter_group_description](#input_parameter_group_description) | Managed by Terraform | `string` | `null` | no | +| [port](#input_port) | Redis port | `number` | `6379` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [replication_group_id](#input_replication_group_id) | Replication group ID with the following constraints:
A name must contain from 1 to 20 alphanumeric characters or hyphens.
The first character must be a letter.
A name cannot end with a hyphen or contain two consecutive hyphens. | `string` | `""` | no | +| [security_group_create_before_destroy](#input_security_group_create_before_destroy) | Set `true` to enable Terraform `create_before_destroy` behavior on the created security group.
We only recommend setting this `false` if you are upgrading this module and need to keep
the existing security group from being replaced.
Note that changing this value will always cause the security group to be replaced. | `bool` | `true` | no | +| [security_group_create_timeout](#input_security_group_create_timeout) | How long to wait for the security group to be created. | `string` | `"10m"` | no | +| [security_group_delete_timeout](#input_security_group_delete_timeout) | How long to retry on `DependencyViolation` errors during security group deletion. | `string` | `"15m"` | no | +| [security_group_description](#input_security_group_description) | The description to assign to the created Security Group.
Warning: Changing the description causes the security group to be replaced.
Set this to `null` to maintain parity with releases <= `0.34.0`. | `string` | `"Security group for Elasticache Redis"` | no | +| [security_group_name](#input_security_group_name) | The name to assign to the created security group. Must be unique within the VPC.
If not provided, will be derived from the `null-label.context` passed in.
If `create_before_destroy` is true, will be used as a name prefix. | `list(string)` | `[]` | no | +| [snapshot_arns](#input_snapshot_arns) | A single-element string list containing an Amazon Resource Name (ARN) of a Redis RDB snapshot file stored in Amazon S3. Example: arn:aws:s3:::my_bucket/snapshot1.rdb | `list(string)` | `[]` | no | +| [snapshot_name](#input_snapshot_name) | The name of a snapshot from which to restore data into the new node group. Changing the snapshot_name forces a new resource. | `string` | `null` | no | +| [snapshot_retention_limit](#input_snapshot_retention_limit) | The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. | `number` | `0` | no | +| [snapshot_window](#input_snapshot_window) | The daily time range (in UTC) during which ElastiCache will begin taking a daily snapshot of your cache cluster. | `string` | `"06:30-07:30"` | no | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [subnets](#input_subnets) | Subnet IDs | `list(string)` | `[]` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [transit_encryption_enabled](#input_transit_encryption_enabled) | Set `true` to enable encryption in transit. Forced `true` if `var.auth_token` is set.
If this is enabled, use the [following guide](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls) to access redis. | `bool` | `true` | no | +| [user_group_ids](#input_user_group_ids) | User Group ID to associate with the replication group | `list(string)` | `null` | no | +| [vpc_id](#input_vpc_id) | VPC ID | `string` | n/a | yes | +| [zone_id](#input_zone_id) | Route53 DNS Zone ID as list of string (0 or 1 items). If empty, no custom DNS name will be published.
If the list contains a single Zone ID, a custom DNS name will be pulished in that zone.
Can also be a plain string, but that use is DEPRECATED because of Terraform issues. | `any` | `[]` | no | ## Outputs -| Name | Description | -|------|-------------| -| [arn](#output\_arn) | Elasticache Replication Group ARN | -| [cluster\_enabled](#output\_cluster\_enabled) | Indicates if cluster mode is enabled | -| [endpoint](#output\_endpoint) | Redis primary or configuration endpoint, whichever is appropriate for the given cluster mode | -| [engine\_version\_actual](#output\_engine\_version\_actual) | The running version of the cache engine | -| [host](#output\_host) | Redis hostname | -| [id](#output\_id) | Redis cluster ID | -| [member\_clusters](#output\_member\_clusters) | Redis cluster members | -| [port](#output\_port) | Redis port | -| [reader\_endpoint\_address](#output\_reader\_endpoint\_address) | The address of the endpoint for the reader node in the replication group, if the cluster mode is disabled. | -| [security\_group\_id](#output\_security\_group\_id) | The ID of the created security group | -| [security\_group\_name](#output\_security\_group\_name) | The name of the created security group | - - +| Name | Description | +| -------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | +| [arn](#output_arn) | Elasticache Replication Group ARN | +| [cluster_enabled](#output_cluster_enabled) | Indicates if cluster mode is enabled | +| [endpoint](#output_endpoint) | Redis primary or configuration endpoint, whichever is appropriate for the given cluster mode | +| [engine_version_actual](#output_engine_version_actual) | The running version of the cache engine | +| [host](#output_host) | Redis hostname | +| [id](#output_id) | Redis cluster ID | +| [member_clusters](#output_member_clusters) | Redis cluster members | +| [port](#output_port) | Redis port | +| [reader_endpoint_address](#output_reader_endpoint_address) | The address of the endpoint for the reader node in the replication group, if the cluster mode is disabled. | +| [security_group_id](#output_security_group_id) | The ID of the created security group | +| [security_group_name](#output_security_group_name) | The name of the created security group | + ## Share the Love @@ -344,8 +320,6 @@ Like this project? Please give it a ★ on [our GitHub](https://github.com/cloud Are you using this project or any of our other projects? Consider [leaving a testimonial][testimonial]. =) - - ## Related Projects Check out these related projects. @@ -363,7 +337,6 @@ File a GitHub [issue](https://github.com/cloudposse/terraform-aws-elasticache-re ## DevOps Accelerator for Startups - We are a [**DevOps Accelerator**][commercial_support]. We'll help you build your cloud infrastructure from the ground up so you can own it. Then we'll show you how to operate it and stick around for as long as you need us. [![Learn More](https://img.shields.io/badge/learn%20more-success.svg?style=for-the-badge)][commercial_support] @@ -385,7 +358,7 @@ We deliver 10x the value for a fraction of the cost of a full-time engineer. Our ## Slack Community -Join our [Open Source Community][slack] on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure. +Join our [Open Source Community][slack] on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally _sweet_ infrastructure. ## Discourse Forums @@ -393,7 +366,7 @@ Participate in our [Discourse Forums][discourse]. Here you'll find answers to co ## Newsletter -Sign up for [our newsletter][newsletter] that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover. +Sign up for [our newsletter][newsletter] that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover. ## Office Hours @@ -413,21 +386,18 @@ If you are interested in being a contributor and want to get involved in develop In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow. - 1. **Fork** the repo on GitHub - 2. **Clone** the project to your own machine - 3. **Commit** changes to your own branch - 4. **Push** your work back up to your fork - 5. Submit a **Pull Request** so that we can review your changes +1. **Fork** the repo on GitHub +2. **Clone** the project to your own machine +3. **Commit** changes to your own branch +4. **Push** your work back up to your fork +5. Submit a **Pull Request** so that we can review your changes **NOTE:** Be sure to merge the latest changes from "upstream" before making a pull request! - ## Copyright Copyright © 2017-2023 [Cloud Posse, LLC](https://cpco.io/copyright) - - ## License [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) @@ -453,14 +423,6 @@ specific language governing permissions and limitations under the License. ``` - - - - - - - - ## Trademarks All other trademarks referenced herein are the property of their respective owners. @@ -471,67 +433,70 @@ This project is maintained and funded by [Cloud Posse, LLC][website]. Like it? P [![Cloud Posse][logo]][website] -We're a [DevOps Professional Services][hire] company based in Los Angeles, CA. We ❤️ [Open Source Software][we_love_open_source]. +We're a [DevOps Professional Services][hire] company based in Los Angeles, CA. We ❤️ [Open Source Software][we_love_open_source]. We offer [paid support][commercial_support] on all of our projects. Check out [our other projects][github], [follow us on twitter][twitter], [apply for a job][jobs], or [hire us][hire] to help with your cloud strategy and implementation. - - ### Contributors -| [![Erik Osterman][osterman_avatar]][osterman_homepage]
[Erik Osterman][osterman_homepage] | [![Igor Rodionov][goruha_avatar]][goruha_homepage]
[Igor Rodionov][goruha_homepage] | [![Andriy Knysh][aknysh_avatar]][aknysh_homepage]
[Andriy Knysh][aknysh_homepage] | [![Daren Desjardins][darend_avatar]][darend_homepage]
[Daren Desjardins][darend_homepage] | [![Max Moon][MoonMoon1919_avatar]][MoonMoon1919_homepage]
[Max Moon][MoonMoon1919_homepage] | [![Christopher Riley][christopherriley_avatar]][christopherriley_homepage]
[Christopher Riley][christopherriley_homepage] | [![RB][nitrocode_avatar]][nitrocode_homepage]
[RB][nitrocode_homepage] | -|---|---|---|---|---|---|---| + +| [![Erik Osterman][osterman_avatar]][osterman_homepage]
[Erik Osterman][osterman_homepage] | [![Igor Rodionov][goruha_avatar]][goruha_homepage]
[Igor Rodionov][goruha_homepage] | [![Andriy Knysh][aknysh_avatar]][aknysh_homepage]
[Andriy Knysh][aknysh_homepage] | [![Daren Desjardins][darend_avatar]][darend_homepage]
[Daren Desjardins][darend_homepage] | [![Max Moon][MoonMoon1919_avatar]][MoonMoon1919_homepage]
[Max Moon][MoonMoon1919_homepage] | [![Christopher Riley][christopherriley_avatar]][christopherriley_homepage]
[Christopher Riley][christopherriley_homepage] | [![RB][nitrocode_avatar]][nitrocode_homepage]
[RB][nitrocode_homepage] | +| --------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | + - [osterman_homepage]: https://github.com/osterman - [osterman_avatar]: https://img.cloudposse.com/150x150/https://github.com/osterman.png - [goruha_homepage]: https://github.com/goruha - [goruha_avatar]: https://img.cloudposse.com/150x150/https://github.com/goruha.png - [aknysh_homepage]: https://github.com/aknysh - [aknysh_avatar]: https://img.cloudposse.com/150x150/https://github.com/aknysh.png - [darend_homepage]: https://github.com/darend - [darend_avatar]: https://img.cloudposse.com/150x150/https://github.com/darend.png - [MoonMoon1919_homepage]: https://github.com/MoonMoon1919 - [MoonMoon1919_avatar]: https://img.cloudposse.com/150x150/https://github.com/MoonMoon1919.png - [christopherriley_homepage]: https://github.com/christopherriley - [christopherriley_avatar]: https://img.cloudposse.com/150x150/https://github.com/christopherriley.png - [nitrocode_homepage]: https://github.com/nitrocode - [nitrocode_avatar]: https://img.cloudposse.com/150x150/https://github.com/nitrocode.png +[osterman_homepage]: https://github.com/osterman +[osterman_avatar]: https://img.cloudposse.com/150x150/https://github.com/osterman.png +[goruha_homepage]: https://github.com/goruha +[goruha_avatar]: https://img.cloudposse.com/150x150/https://github.com/goruha.png +[aknysh_homepage]: https://github.com/aknysh +[aknysh_avatar]: https://img.cloudposse.com/150x150/https://github.com/aknysh.png +[darend_homepage]: https://github.com/darend +[darend_avatar]: https://img.cloudposse.com/150x150/https://github.com/darend.png +[MoonMoon1919_homepage]: https://github.com/MoonMoon1919 +[MoonMoon1919_avatar]: https://img.cloudposse.com/150x150/https://github.com/MoonMoon1919.png +[christopherriley_homepage]: https://github.com/christopherriley +[christopherriley_avatar]: https://img.cloudposse.com/150x150/https://github.com/christopherriley.png +[nitrocode_homepage]: https://github.com/nitrocode +[nitrocode_avatar]: https://img.cloudposse.com/150x150/https://github.com/nitrocode.png [![README Footer][readme_footer_img]][readme_footer_link] [![Beacon][beacon]][website] + - [logo]: https://cloudposse.com/logo-300x69.svg - [docs]: https://cpco.io/docs?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=docs - [website]: https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=website - [github]: https://cpco.io/github?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=github - [jobs]: https://cpco.io/jobs?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=jobs - [hire]: https://cpco.io/hire?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=hire - [slack]: https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=slack - [linkedin]: https://cpco.io/linkedin?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=linkedin - [twitter]: https://cpco.io/twitter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=twitter - [testimonial]: https://cpco.io/leave-testimonial?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=testimonial - [office_hours]: https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=office_hours - [newsletter]: https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=newsletter - [discourse]: https://ask.sweetops.com/?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=discourse - [email]: https://cpco.io/email?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=email - [commercial_support]: https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=commercial_support - [we_love_open_source]: https://cpco.io/we-love-open-source?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=we_love_open_source - [terraform_modules]: https://cpco.io/terraform-modules?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=terraform_modules - [readme_header_img]: https://cloudposse.com/readme/header/img - [readme_header_link]: https://cloudposse.com/readme/header/link?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=readme_header_link - [readme_footer_img]: https://cloudposse.com/readme/footer/img - [readme_footer_link]: https://cloudposse.com/readme/footer/link?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=readme_footer_link - [readme_commercial_support_img]: https://cloudposse.com/readme/commercial-support/img - [readme_commercial_support_link]: https://cloudposse.com/readme/commercial-support/link?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=readme_commercial_support_link - [share_twitter]: https://twitter.com/intent/tweet/?text=terraform-aws-elasticache-redis&url=https://github.com/cloudposse/terraform-aws-elasticache-redis - [share_linkedin]: https://www.linkedin.com/shareArticle?mini=true&title=terraform-aws-elasticache-redis&url=https://github.com/cloudposse/terraform-aws-elasticache-redis - [share_reddit]: https://reddit.com/submit/?url=https://github.com/cloudposse/terraform-aws-elasticache-redis - [share_facebook]: https://facebook.com/sharer/sharer.php?u=https://github.com/cloudposse/terraform-aws-elasticache-redis - [share_googleplus]: https://plus.google.com/share?url=https://github.com/cloudposse/terraform-aws-elasticache-redis - [share_email]: mailto:?subject=terraform-aws-elasticache-redis&body=https://github.com/cloudposse/terraform-aws-elasticache-redis - [beacon]: https://ga-beacon.cloudposse.com/UA-76589703-4/cloudposse/terraform-aws-elasticache-redis?pixel&cs=github&cm=readme&an=terraform-aws-elasticache-redis + +[logo]: https://cloudposse.com/logo-300x69.svg +[docs]: https://cpco.io/docs?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=docs +[website]: https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=website +[github]: https://cpco.io/github?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=github +[jobs]: https://cpco.io/jobs?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=jobs +[hire]: https://cpco.io/hire?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=hire +[slack]: https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=slack +[linkedin]: https://cpco.io/linkedin?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=linkedin +[twitter]: https://cpco.io/twitter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=twitter +[testimonial]: https://cpco.io/leave-testimonial?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=testimonial +[office_hours]: https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=office_hours +[newsletter]: https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=newsletter +[discourse]: https://ask.sweetops.com/?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=discourse +[email]: https://cpco.io/email?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=email +[commercial_support]: https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=commercial_support +[we_love_open_source]: https://cpco.io/we-love-open-source?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=we_love_open_source +[terraform_modules]: https://cpco.io/terraform-modules?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=terraform_modules +[readme_header_img]: https://cloudposse.com/readme/header/img +[readme_header_link]: https://cloudposse.com/readme/header/link?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=readme_header_link +[readme_footer_img]: https://cloudposse.com/readme/footer/img +[readme_footer_link]: https://cloudposse.com/readme/footer/link?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=readme_footer_link +[readme_commercial_support_img]: https://cloudposse.com/readme/commercial-support/img +[readme_commercial_support_link]: https://cloudposse.com/readme/commercial-support/link?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-elasticache-redis&utm_content=readme_commercial_support_link +[share_twitter]: https://twitter.com/intent/tweet/?text=terraform-aws-elasticache-redis&url=https://github.com/cloudposse/terraform-aws-elasticache-redis +[share_linkedin]: https://www.linkedin.com/shareArticle?mini=true&title=terraform-aws-elasticache-redis&url=https://github.com/cloudposse/terraform-aws-elasticache-redis +[share_reddit]: https://reddit.com/submit/?url=https://github.com/cloudposse/terraform-aws-elasticache-redis +[share_facebook]: https://facebook.com/sharer/sharer.php?u=https://github.com/cloudposse/terraform-aws-elasticache-redis +[share_googleplus]: https://plus.google.com/share?url=https://github.com/cloudposse/terraform-aws-elasticache-redis +[share_email]: mailto:?subject=terraform-aws-elasticache-redis&body=https://github.com/cloudposse/terraform-aws-elasticache-redis +[beacon]: https://ga-beacon.cloudposse.com/UA-76589703-4/cloudposse/terraform-aws-elasticache-redis?pixel&cs=github&cm=readme&an=terraform-aws-elasticache-redis + diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 5f453a4d..03d8bac3 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -47,7 +47,7 @@ module "redis" { availability_zones = var.availability_zones zone_id = [aws_route53_zone.private.id] vpc_id = module.vpc.vpc_id - allowed_security_groups = [module.vpc.vpc_default_security_group_id] + allowed_security_group_ids = [module.vpc.vpc_default_security_group_id] subnets = module.subnets.private_subnet_ids cluster_size = var.cluster_size instance_type = var.instance_type diff --git a/main.tf b/main.tf index 05255939..b23b4db1 100644 --- a/main.tf +++ b/main.tf @@ -2,27 +2,8 @@ # Security Group Resources # locals { - enabled = module.this.enabled - - legacy_egress_rule = local.use_legacy_egress ? { - key = "legacy-egress" - type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = var.egress_cidr_blocks - description = "Allow outbound traffic to existing CIDR blocks" - } : null - - legacy_cidr_ingress_rule = length(var.allowed_cidr_blocks) == 0 ? null : { - key = "legacy-cidr-ingress" - type = "ingress" - from_port = var.port - to_port = var.port - protocol = "tcp" - cidr_blocks = var.allowed_cidr_blocks - description = "Allow inbound traffic from CIDR blocks" - } + enabled = module.this.enabled + create_security_group = local.enabled && var.create_security_group sg_rules = { legacy = merge(local.legacy_egress_rule, local.legacy_cidr_ingress_rule), @@ -36,12 +17,12 @@ module "aws_security_group" { enabled = local.create_security_group - allow_all_egress = local.allow_all_egress + allow_all_egress = var.allow_all_egress security_group_name = var.security_group_name rules_map = local.sg_rules rule_matrix = [{ key = "in" - source_security_group_ids = local.allowed_security_group_ids + source_security_group_ids = var.allowed_security_group_ids cidr_blocks = var.allowed_cidr_blocks rules = [{ key = "in" @@ -53,12 +34,9 @@ module "aws_security_group" { }] }] - vpc_id = var.vpc_id - - security_group_description = local.security_group_description - - create_before_destroy = var.security_group_create_before_destroy - + vpc_id = var.vpc_id + security_group_description = var.security_group_description + create_before_destroy = var.security_group_create_before_destroy security_group_create_timeout = var.security_group_create_timeout security_group_delete_timeout = var.security_group_delete_timeout @@ -77,11 +55,11 @@ locals { var.cluster_size ) - elasticache_member_clusters = module.this.enabled ? tolist(aws_elasticache_replication_group.default[0].member_clusters) : [] + elasticache_member_clusters = local.enabled ? tolist(aws_elasticache_replication_group.default[0].member_clusters) : [] } resource "aws_elasticache_subnet_group" "default" { - count = module.this.enabled && var.elasticache_subnet_group_name == "" && length(var.subnets) > 0 ? 1 : 0 + count = local.enabled && var.elasticache_subnet_group_name == "" && length(var.subnets) > 0 ? 1 : 0 name = module.this.id description = "Elasticache subnet group for ${module.this.id}" subnet_ids = var.subnets @@ -89,7 +67,7 @@ resource "aws_elasticache_subnet_group" "default" { } resource "aws_elasticache_parameter_group" "default" { - count = module.this.enabled ? 1 : 0 + count = local.enabled ? 1 : 0 name = module.this.id description = var.parameter_group_description != null ? var.parameter_group_description : "Elasticache parameter group for ${module.this.id}" family = var.family @@ -113,7 +91,7 @@ resource "aws_elasticache_parameter_group" "default" { } resource "aws_elasticache_replication_group" "default" { - count = module.this.enabled ? 1 : 0 + count = local.enabled ? 1 : 0 auth_token = var.transit_encryption_enabled ? var.auth_token : null replication_group_id = var.replication_group_id == "" ? module.this.id : var.replication_group_id @@ -129,7 +107,7 @@ resource "aws_elasticache_replication_group" "default" { # It would be nice to remove null or duplicate security group IDs, if there are any, using `compact`, # but that causes problems, and having duplicates does not seem to cause problems. # See https://github.com/hashicorp/terraform/issues/29799 - security_group_ids = local.create_security_group ? concat(local.associated_security_group_ids, [module.aws_security_group.id]) : local.associated_security_group_ids + security_group_ids = local.create_security_group ? concat(var.associated_security_group_ids, [module.aws_security_group.id]) : var.associated_security_group_ids maintenance_window = var.maintenance_window notification_topic_arn = var.notification_topic_arn engine_version = var.engine_version @@ -167,7 +145,7 @@ resource "aws_elasticache_replication_group" "default" { # CloudWatch Resources # resource "aws_cloudwatch_metric_alarm" "cache_cpu" { - count = module.this.enabled && var.cloudwatch_metric_alarms_enabled ? local.member_clusters_count : 0 + count = local.enabled && var.cloudwatch_metric_alarms_enabled ? local.member_clusters_count : 0 alarm_name = "${element(local.elasticache_member_clusters, count.index)}-cpu-utilization" alarm_description = "Redis cluster CPU utilization" comparison_operator = "GreaterThanThreshold" @@ -191,7 +169,7 @@ resource "aws_cloudwatch_metric_alarm" "cache_cpu" { } resource "aws_cloudwatch_metric_alarm" "cache_memory" { - count = module.this.enabled && var.cloudwatch_metric_alarms_enabled ? local.member_clusters_count : 0 + count = local.enabled && var.cloudwatch_metric_alarms_enabled ? local.member_clusters_count : 0 alarm_name = "${element(local.elasticache_member_clusters, count.index)}-freeable-memory" alarm_description = "Redis cluster freeable memory" comparison_operator = "LessThanThreshold" @@ -218,7 +196,7 @@ module "dns" { source = "cloudposse/route53-cluster-hostname/aws" version = "0.12.2" - enabled = module.this.enabled && length(var.zone_id) > 0 ? true : false + enabled = local.enabled && length(var.zone_id) > 0 ? true : false dns_name = var.dns_subdomain != "" ? var.dns_subdomain : module.this.id ttl = 60 zone_id = try(var.zone_id[0], tostring(var.zone_id), "") diff --git a/security_group_inputs.tf b/security_group_inputs.tf index 5958bada..8b137891 100644 --- a/security_group_inputs.tf +++ b/security_group_inputs.tf @@ -1,112 +1 @@ -# security_group_inputs Version: 1 -## - -variable "create_security_group" { - type = bool - default = true - description = "Set `true` to create and configure a new security group. If false, `associated_security_group_ids` must be provided." -} - -locals { - create_security_group = local.enabled && (var.use_existing_security_groups == null ? var.create_security_group : !var.use_existing_security_groups) -} - -variable "associated_security_group_ids" { - type = list(string) - default = [] - description = <<-EOT - A list of IDs of Security Groups to associate the created resource with, in addition to the created security group. - These security groups will not be modified and, if `create_security_group` is `false`, must provide all the required access. - EOT -} - -locals { - associated_security_group_ids = concat(var.existing_security_groups, var.associated_security_group_ids) -} - -variable "allowed_security_group_ids" { - type = list(string) - default = [] - description = <<-EOT - A list of IDs of Security Groups to allow access to the security group created by this module. - EOT -} - -locals { - allowed_security_group_ids = concat(var.allowed_security_groups, var.allowed_security_group_ids) -} - - -variable "security_group_name" { - type = list(string) - default = [] - description = <<-EOT - The name to assign to the created security group. Must be unique within the VPC. - If not provided, will be derived from the `null-label.context` passed in. - If `create_before_destroy` is true, will be used as a name prefix. - EOT -} - -variable "security_group_description" { - type = string - default = "Security group for Elasticache Redis" - description = <<-EOT - The description to assign to the created Security Group. - Warning: Changing the description causes the security group to be replaced. - Set this to `null` to maintain parity with releases <= `0.34.0`. - EOT -} - -locals { - security_group_description = var.security_group_description == null ? "Managed by Terraform" : var.security_group_description -} - -variable "security_group_create_before_destroy" { - type = bool - default = true - description = <<-EOT - Set `true` to enable Terraform `create_before_destroy` behavior on the created security group. - We only recommend setting this `false` if you are upgrading this module and need to keep - the existing security group from being replaced. - Note that changing this value will always cause the security group to be replaced. - EOT -} - -variable "security_group_create_timeout" { - type = string - default = "10m" - description = "How long to wait for the security group to be created." -} - -variable "security_group_delete_timeout" { - type = string - default = "15m" - description = <<-EOT - How long to retry on `DependencyViolation` errors during security group deletion. - EOT -} - - -variable "allow_all_egress" { - type = bool - default = null - description = <<-EOT - If `true`, the created security group will allow egress on all ports and protocols to all IP address. - If this is false and no egress rules are otherwise specified, then no egress will be allowed. - Defaults to `true` unless the deprecated `egress_cidr_blocks` is provided and is not `["0.0.0.0/0"]`, in which case defaults to `false`. - EOT -} - -variable "additional_security_group_rules" { - type = list(any) - default = [] - description = <<-EOT - A list of Security Group rule objects to add to the created security group, in addition to the ones - this module normally creates. (To suppress the module's rules, set `create_security_group` to false - and supply your own security group via `associated_security_group_ids`.) - The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except - for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time. - To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . - EOT -} diff --git a/variables-deprecated.tf b/variables-deprecated.tf deleted file mode 100644 index 11c47d51..00000000 --- a/variables-deprecated.tf +++ /dev/null @@ -1,60 +0,0 @@ -variable "use_existing_security_groups" { - type = bool - description = <<-EOT - DEPRECATED: Use `create_security_group` instead. - Historical description: Flag to enable/disable creation of Security Group in the module. - Set to `true` to disable Security Group creation and provide a list of existing security Group IDs in `existing_security_groups` to place the cluster into. - Historical default: `false` - EOT - default = null -} - -variable "existing_security_groups" { - type = list(string) - default = [] - description = <<-EOT - DEPRECATED: Use `associated_security_group_ids` instead. - Historical description: List of existing Security Group IDs to place the cluster into. - Set `use_existing_security_groups` to `true` to enable using `existing_security_groups` as Security Groups for the cluster. - EOT -} - -variable "allowed_security_groups" { - type = list(string) - default = [] - description = <<-EOT - DEPRECATED: Use `allowed_security_group_ids` instead. - EOT -} - -variable "allowed_cidr_blocks" { - type = list(string) - default = [] - description = <<-EOT - DEPRECATED: Use `additional_security_group_rules` instead. - Historical description: List of CIDR blocks that are allowed ingress to the cluster's Security Group created in the module - EOT -} - -variable "egress_cidr_blocks" { - type = list(any) - default = null - description = <<-EOT - DEPRECATED: Use `allow_all_egress` and `additional_security_group_rules` instead. - Historical description: Outbound traffic address. - Historical default: ["0.0.0.0/0"] - EOT -} - -locals { - # Use the legacy egress rule unless: - # - var.egress_cidr_blocks is null, which means use the default, which is allow all egress - # - var.allow_all_egress is true, which explicitly means allow all egress - # - var.egress_cidr_blocks is exactly ["0.0.0.0/0"], which we interpret to mean "allow all egress" - use_legacy_egress = !(var.egress_cidr_blocks == null || var.allow_all_egress == true || ( - try(length(var.egress_cidr_blocks), 0) == 1 && try(var.egress_cidr_blocks[0], "") == "0.0.0.0/0") - ) - - # If var.allow_all_egress is null, default to true unless some alternate legacy rule was provided - allow_all_egress = var.allow_all_egress == null ? !local.use_legacy_egress : var.allow_all_egress -} diff --git a/variables.tf b/variables.tf index a3731c3e..fe0a2051 100644 --- a/variables.tf +++ b/variables.tf @@ -9,6 +9,98 @@ variable "subnets" { default = [] } +variable "create_security_group" { + type = bool + default = true + description = "Set `true` to create and configure a new security group. If false, `associated_security_group_ids` must be provided." +} + +variable "associated_security_group_ids" { + type = list(string) + default = [] + description = <<-EOT + A list of IDs of Security Groups to associate the created resource with, in addition to the created security group. + These security groups will not be modified and, if `create_security_group` is `false`, must provide all the required access. + EOT +} + +variable "allowed_security_group_ids" { + type = list(string) + default = [] + description = <<-EOT + A list of IDs of Security Groups to allow access to the security group created by this module. + EOT +} + +variable "security_group_name" { + type = list(string) + default = [] + description = <<-EOT + The name to assign to the created security group. Must be unique within the VPC. + If not provided, will be derived from the `null-label.context` passed in. + If `create_before_destroy` is true, will be used as a name prefix. + EOT +} + +variable "security_group_description" { + type = string + default = "Security group for Elasticache Redis" + description = <<-EOT + The description to assign to the created Security Group. + Warning: Changing the description causes the security group to be replaced. + Set this to `null` to maintain parity with releases <= `0.34.0`. + EOT +} + +variable "security_group_create_before_destroy" { + type = bool + default = true + description = <<-EOT + Set `true` to enable Terraform `create_before_destroy` behavior on the created security group. + We only recommend setting this `false` if you are upgrading this module and need to keep + the existing security group from being replaced. + Note that changing this value will always cause the security group to be replaced. + EOT +} + +variable "security_group_create_timeout" { + type = string + default = "10m" + description = "How long to wait for the security group to be created." +} + +variable "security_group_delete_timeout" { + type = string + default = "15m" + description = <<-EOT + How long to retry on `DependencyViolation` errors during security group deletion. + EOT +} + + +variable "allow_all_egress" { + type = bool + default = null + description = <<-EOT + If `true`, the created security group will allow egress on all ports and protocols to all IP address. + If this is false and no egress rules are otherwise specified, then no egress will be allowed. + Defaults to `true`. + EOT +} + +variable "additional_security_group_rules" { + type = list(any) + default = [] + description = <<-EOT + A list of Security Group rule objects to add to the created security group, in addition to the ones + this module normally creates. (To suppress the module's rules, set `create_security_group` to false + and supply your own security group via `associated_security_group_ids`.) + The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except + for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time. + To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . + EOT +} + variable "elasticache_subnet_group_name" { type = string description = "Subnet group name for the ElastiCache instance" From c0dcbc80916cb2337c3277317ba4f526cb7def34 Mon Sep 17 00:00:00 2001 From: Mohankumar-studiographene Date: Thu, 17 Aug 2023 10:56:23 +0530 Subject: [PATCH 03/28] Fix: Deprecated SG locals ref removed --- main.tf | 14 ++++---------- variables.tf | 6 +++--- 2 files changed, 7 insertions(+), 13 deletions(-) diff --git a/main.tf b/main.tf index b23b4db1..298e271b 100644 --- a/main.tf +++ b/main.tf @@ -1,14 +1,6 @@ -# -# Security Group Resources -# locals { enabled = module.this.enabled create_security_group = local.enabled && var.create_security_group - - sg_rules = { - legacy = merge(local.legacy_egress_rule, local.legacy_cidr_ingress_rule), - extra = var.additional_security_group_rules - } } module "aws_security_group" { @@ -18,8 +10,10 @@ module "aws_security_group" { enabled = local.create_security_group allow_all_egress = var.allow_all_egress - security_group_name = var.security_group_name - rules_map = local.sg_rules + security_group_name = coalesce(var.security_group_name, "${module.this.id}-elasticache-redis") + rules_map = { + extra = var.additional_security_group_rules + } rule_matrix = [{ key = "in" source_security_group_ids = var.allowed_security_group_ids diff --git a/variables.tf b/variables.tf index fe0a2051..9bf96fbb 100644 --- a/variables.tf +++ b/variables.tf @@ -33,11 +33,11 @@ variable "allowed_security_group_ids" { } variable "security_group_name" { - type = list(string) - default = [] + type = string + default = null description = <<-EOT The name to assign to the created security group. Must be unique within the VPC. - If not provided, will be derived from the `null-label.context` passed in. + If not provided, default value of '-elasticache-redis' is set. If `create_before_destroy` is true, will be used as a name prefix. EOT } From debc7e66c27eb075e4514ef606af8c30d393af08 Mon Sep 17 00:00:00 2001 From: Mohankumar-studiographene Date: Thu, 17 Aug 2023 11:26:24 +0530 Subject: [PATCH 04/28] Redundant attr: Removed rule_matrix --- main.tf | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/main.tf b/main.tf index 298e271b..76344bfe 100644 --- a/main.tf +++ b/main.tf @@ -14,19 +14,6 @@ module "aws_security_group" { rules_map = { extra = var.additional_security_group_rules } - rule_matrix = [{ - key = "in" - source_security_group_ids = var.allowed_security_group_ids - cidr_blocks = var.allowed_cidr_blocks - rules = [{ - key = "in" - type = "ingress" - from_port = var.port - to_port = var.port - protocol = "tcp" - description = "Selectively allow inbound traffic" - }] - }] vpc_id = var.vpc_id security_group_description = var.security_group_description From 3f67a55f2b5145600d31d2fea83821b9eb5e4e97 Mon Sep 17 00:00:00 2001 From: Mohankumar-studiographene Date: Thu, 17 Aug 2023 12:59:49 +0530 Subject: [PATCH 05/28] Fix: security_group_name input type to list --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 76344bfe..6d792ad5 100644 --- a/main.tf +++ b/main.tf @@ -10,7 +10,7 @@ module "aws_security_group" { enabled = local.create_security_group allow_all_egress = var.allow_all_egress - security_group_name = coalesce(var.security_group_name, "${module.this.id}-elasticache-redis") + security_group_name = [coalesce(var.security_group_name, "${module.this.id}-elasticache-redis")] rules_map = { extra = var.additional_security_group_rules } From 7d01f04a1cb5a67795aa5a538b7cf0ad5dcfe3e9 Mon Sep 17 00:00:00 2001 From: Mohankumar-studiographene Date: Thu, 17 Aug 2023 13:05:45 +0530 Subject: [PATCH 06/28] Fix: allow_all_egress default to true --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 9bf96fbb..be0a8dce 100644 --- a/variables.tf +++ b/variables.tf @@ -80,7 +80,7 @@ variable "security_group_delete_timeout" { variable "allow_all_egress" { type = bool - default = null + default = true description = <<-EOT If `true`, the created security group will allow egress on all ports and protocols to all IP address. If this is false and no egress rules are otherwise specified, then no egress will be allowed. From ce15163d19e9e460882977eac244a6a0733acd45 Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Mon, 21 Aug 2023 15:14:56 +0530 Subject: [PATCH 07/28] added security group config for redis --- main.tf | 29 ++----------- security_group.tf | 29 +++++++++++++ security_group_inputs.tf | 1 - variables.tf | 88 ++-------------------------------------- 4 files changed, 36 insertions(+), 111 deletions(-) create mode 100644 security_group.tf delete mode 100644 security_group_inputs.tf diff --git a/main.tf b/main.tf index 6d792ad5..21667424 100644 --- a/main.tf +++ b/main.tf @@ -1,28 +1,3 @@ -locals { - enabled = module.this.enabled - create_security_group = local.enabled && var.create_security_group -} - -module "aws_security_group" { - source = "cloudposse/security-group/aws" - version = "1.0.1" - - enabled = local.create_security_group - - allow_all_egress = var.allow_all_egress - security_group_name = [coalesce(var.security_group_name, "${module.this.id}-elasticache-redis")] - rules_map = { - extra = var.additional_security_group_rules - } - - vpc_id = var.vpc_id - security_group_description = var.security_group_description - create_before_destroy = var.security_group_create_before_destroy - security_group_create_timeout = var.security_group_create_timeout - security_group_delete_timeout = var.security_group_delete_timeout - - context = module.this.context -} locals { elasticache_subnet_group_name = var.elasticache_subnet_group_name != "" ? var.elasticache_subnet_group_name : join("", aws_elasticache_subnet_group.default[*].name) @@ -88,7 +63,9 @@ resource "aws_elasticache_replication_group" "default" { # It would be nice to remove null or duplicate security group IDs, if there are any, using `compact`, # but that causes problems, and having duplicates does not seem to cause problems. # See https://github.com/hashicorp/terraform/issues/29799 - security_group_ids = local.create_security_group ? concat(var.associated_security_group_ids, [module.aws_security_group.id]) : var.associated_security_group_ids + security_group_ids = compact( + concat(var.additional_security_groups, [aws_security_group.alb.id]), + ) maintenance_window = var.maintenance_window notification_topic_arn = var.notification_topic_arn engine_version = var.engine_version diff --git a/security_group.tf b/security_group.tf new file mode 100644 index 00000000..3216df45 --- /dev/null +++ b/security_group.tf @@ -0,0 +1,29 @@ + +resource "aws_security_group" "redis" { + name = "${module.this.id}-redis-sg" + description = "Controls access to the Redis Cluster" + vpc_id = var.vpc_id + egress { + protocol = "-1" + from_port = 0 + to_port = 0 + cidr_blocks = ["0.0.0.0/0"] + } + tags = merge( + module.this.tags, + { + Name = "${module.this.id}-redis-sg" + }, + ) +} + +resource "aws_security_group_rule" "ingress_redis" { + + security_group_id = aws_security_group.redis.id + type = "ingress" + from_port = 6379 + to_port = 6379 + protocol = "tcp" + cidr_blocks = var.redis_ingress_cidr_blocks +} + diff --git a/security_group_inputs.tf b/security_group_inputs.tf deleted file mode 100644 index 8b137891..00000000 --- a/security_group_inputs.tf +++ /dev/null @@ -1 +0,0 @@ - diff --git a/variables.tf b/variables.tf index be0a8dce..a166176b 100644 --- a/variables.tf +++ b/variables.tf @@ -9,96 +9,16 @@ variable "subnets" { default = [] } -variable "create_security_group" { - type = bool - default = true - description = "Set `true` to create and configure a new security group. If false, `associated_security_group_ids` must be provided." -} - -variable "associated_security_group_ids" { +variable "redis_ingress_cidr_blocks" { + description = "List of IPv4 CIDR ranges to use on all ingress rules" type = list(string) default = [] - description = <<-EOT - A list of IDs of Security Groups to associate the created resource with, in addition to the created security group. - These security groups will not be modified and, if `create_security_group` is `false`, must provide all the required access. - EOT } -variable "allowed_security_group_ids" { +variable "redis_additional_security_groups" { + description = "A list of security group IDs to assign to the Redis." type = list(string) default = [] - description = <<-EOT - A list of IDs of Security Groups to allow access to the security group created by this module. - EOT -} - -variable "security_group_name" { - type = string - default = null - description = <<-EOT - The name to assign to the created security group. Must be unique within the VPC. - If not provided, default value of '-elasticache-redis' is set. - If `create_before_destroy` is true, will be used as a name prefix. - EOT -} - -variable "security_group_description" { - type = string - default = "Security group for Elasticache Redis" - description = <<-EOT - The description to assign to the created Security Group. - Warning: Changing the description causes the security group to be replaced. - Set this to `null` to maintain parity with releases <= `0.34.0`. - EOT -} - -variable "security_group_create_before_destroy" { - type = bool - default = true - description = <<-EOT - Set `true` to enable Terraform `create_before_destroy` behavior on the created security group. - We only recommend setting this `false` if you are upgrading this module and need to keep - the existing security group from being replaced. - Note that changing this value will always cause the security group to be replaced. - EOT -} - -variable "security_group_create_timeout" { - type = string - default = "10m" - description = "How long to wait for the security group to be created." -} - -variable "security_group_delete_timeout" { - type = string - default = "15m" - description = <<-EOT - How long to retry on `DependencyViolation` errors during security group deletion. - EOT -} - - -variable "allow_all_egress" { - type = bool - default = true - description = <<-EOT - If `true`, the created security group will allow egress on all ports and protocols to all IP address. - If this is false and no egress rules are otherwise specified, then no egress will be allowed. - Defaults to `true`. - EOT -} - -variable "additional_security_group_rules" { - type = list(any) - default = [] - description = <<-EOT - A list of Security Group rule objects to add to the created security group, in addition to the ones - this module normally creates. (To suppress the module's rules, set `create_security_group` to false - and supply your own security group via `associated_security_group_ids`.) - The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except - for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time. - To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . - EOT } variable "elasticache_subnet_group_name" { From e99d4d72a863f8c8bf386c0976dfb3f3e25a94c0 Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Mon, 21 Aug 2023 15:47:00 +0530 Subject: [PATCH 08/28] locals value and outputs updated --- main.tf | 5 +++++ outputs.tf | 4 ++-- security_group.tf | 5 +++++ variables.tf | 6 ++++++ 4 files changed, 18 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 21667424..9a4dc451 100644 --- a/main.tf +++ b/main.tf @@ -1,3 +1,8 @@ +locals { + enabled = module.this.enabled + create_security_group = local.enabled && var.create_security_group +} + locals { elasticache_subnet_group_name = var.elasticache_subnet_group_name != "" ? var.elasticache_subnet_group_name : join("", aws_elasticache_subnet_group.default[*].name) diff --git a/outputs.tf b/outputs.tf index 3830fb91..bcba3d87 100644 --- a/outputs.tf +++ b/outputs.tf @@ -4,12 +4,12 @@ output "id" { } output "security_group_id" { - value = module.aws_security_group.id + value = aws_security_group.redis.id description = "The ID of the created security group" } output "security_group_name" { - value = module.aws_security_group.name + value = aws_security_group.redis.name description = "The name of the created security group" } diff --git a/security_group.tf b/security_group.tf index 3216df45..b31b8449 100644 --- a/security_group.tf +++ b/security_group.tf @@ -1,3 +1,8 @@ +locals { + enabled = module.this.enabled + create_redis_security_group = local.enabled && var.create_redis_security_group +} + resource "aws_security_group" "redis" { name = "${module.this.id}-redis-sg" diff --git a/variables.tf b/variables.tf index a166176b..15078c74 100644 --- a/variables.tf +++ b/variables.tf @@ -15,6 +15,12 @@ variable "redis_ingress_cidr_blocks" { default = [] } +variable "create_redis_security_group" { + description = "Weather or not to create a security group for redis" + type = bool + default = true +} + variable "redis_additional_security_groups" { description = "A list of security group IDs to assign to the Redis." type = list(string) From 31e5367a31bd9a154f34f3f48504b84bada3bbe1 Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Mon, 21 Aug 2023 15:55:04 +0530 Subject: [PATCH 09/28] locals value and outputs updated --- main.tf | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 9a4dc451..670ef09d 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,4 @@ -locals { - enabled = module.this.enabled - create_security_group = local.enabled && var.create_security_group -} + locals { From affb503e317bc8a665c4452de8a1bf9a6e007c90 Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Mon, 21 Aug 2023 16:39:36 +0530 Subject: [PATCH 10/28] security group upated --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 670ef09d..fc7facfc 100644 --- a/main.tf +++ b/main.tf @@ -66,7 +66,7 @@ resource "aws_elasticache_replication_group" "default" { # but that causes problems, and having duplicates does not seem to cause problems. # See https://github.com/hashicorp/terraform/issues/29799 security_group_ids = compact( - concat(var.additional_security_groups, [aws_security_group.alb.id]), + concat(var.additional_security_groups, [aws_security_group.redis.id]), ) maintenance_window = var.maintenance_window notification_topic_arn = var.notification_topic_arn From d0ed6d6aa3613a9c0a1d49d17723f6adfc972ee9 Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Mon, 21 Aug 2023 16:44:42 +0530 Subject: [PATCH 11/28] chore: variable name updated for secuirty group --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index fc7facfc..a524d758 100644 --- a/main.tf +++ b/main.tf @@ -66,7 +66,7 @@ resource "aws_elasticache_replication_group" "default" { # but that causes problems, and having duplicates does not seem to cause problems. # See https://github.com/hashicorp/terraform/issues/29799 security_group_ids = compact( - concat(var.additional_security_groups, [aws_security_group.redis.id]), + concat(var.redis_additional_security_groups, [aws_security_group.redis.id]), ) maintenance_window = var.maintenance_window notification_topic_arn = var.notification_topic_arn From 3ec206b215e8e5e0c2942accf04ce372d53f0285 Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Mon, 21 Aug 2023 16:57:11 +0530 Subject: [PATCH 12/28] chore: ingress updated for redis sg --- main.tf | 4 +--- security_group.tf | 1 + 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index a524d758..9a6f8df7 100644 --- a/main.tf +++ b/main.tf @@ -65,9 +65,7 @@ resource "aws_elasticache_replication_group" "default" { # It would be nice to remove null or duplicate security group IDs, if there are any, using `compact`, # but that causes problems, and having duplicates does not seem to cause problems. # See https://github.com/hashicorp/terraform/issues/29799 - security_group_ids = compact( - concat(var.redis_additional_security_groups, [aws_security_group.redis.id]), - ) + security_group_ids = [aws_security_group.redis.id] maintenance_window = var.maintenance_window notification_topic_arn = var.notification_topic_arn engine_version = var.engine_version diff --git a/security_group.tf b/security_group.tf index b31b8449..48631fe2 100644 --- a/security_group.tf +++ b/security_group.tf @@ -30,5 +30,6 @@ resource "aws_security_group_rule" "ingress_redis" { to_port = 6379 protocol = "tcp" cidr_blocks = var.redis_ingress_cidr_blocks + secuirty_group = var.redis_additional_security_groups } From ccfc2acf7e216466e101b9b1bd355af1cc152bdc Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Mon, 21 Aug 2023 17:04:44 +0530 Subject: [PATCH 13/28] chore: ingress updated for redis sg --- security_group.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security_group.tf b/security_group.tf index 48631fe2..ddee740e 100644 --- a/security_group.tf +++ b/security_group.tf @@ -30,6 +30,6 @@ resource "aws_security_group_rule" "ingress_redis" { to_port = 6379 protocol = "tcp" cidr_blocks = var.redis_ingress_cidr_blocks - secuirty_group = var.redis_additional_security_groups + security_group = var.redis_additional_security_groups } From fc63e56791170f5470cee85af39130c6f4a23d64 Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Mon, 21 Aug 2023 17:08:08 +0530 Subject: [PATCH 14/28] chore: ingress updated for redis sg --- security_group.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security_group.tf b/security_group.tf index ddee740e..a56b6888 100644 --- a/security_group.tf +++ b/security_group.tf @@ -30,6 +30,6 @@ resource "aws_security_group_rule" "ingress_redis" { to_port = 6379 protocol = "tcp" cidr_blocks = var.redis_ingress_cidr_blocks - security_group = var.redis_additional_security_groups + security_groups = var.redis_additional_security_groups } From 79583387fe1e1d513ff46b92d6e3d59356434fb2 Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Mon, 21 Aug 2023 17:16:40 +0530 Subject: [PATCH 15/28] chore: security group config updated --- security_group.tf | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/security_group.tf b/security_group.tf index a56b6888..4e1e4422 100644 --- a/security_group.tf +++ b/security_group.tf @@ -14,6 +14,15 @@ resource "aws_security_group" "redis" { to_port = 0 cidr_blocks = ["0.0.0.0/0"] } + ingress { + description = "Allow ECS and serverless SGs access to Redis" + from_port = 6379 + to_port = 6379 + protocol = "TCP" + cidr_blocks = var.redis_ingress_cidr_blocks + security_groups = var.redis_additional_security_groups + + } tags = merge( module.this.tags, { @@ -22,14 +31,3 @@ resource "aws_security_group" "redis" { ) } -resource "aws_security_group_rule" "ingress_redis" { - - security_group_id = aws_security_group.redis.id - type = "ingress" - from_port = 6379 - to_port = 6379 - protocol = "tcp" - cidr_blocks = var.redis_ingress_cidr_blocks - security_groups = var.redis_additional_security_groups -} - From 186f51655f068046cd736e900c2ba2d2bc671dc1 Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Mon, 21 Aug 2023 17:23:56 +0530 Subject: [PATCH 16/28] chore: security group config updated --- security_group.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security_group.tf b/security_group.tf index 4e1e4422..a8741ff6 100644 --- a/security_group.tf +++ b/security_group.tf @@ -15,7 +15,7 @@ resource "aws_security_group" "redis" { cidr_blocks = ["0.0.0.0/0"] } ingress { - description = "Allow ECS and serverless SGs access to Redis" + description = "Allow SGs and cidr to access Redis" from_port = 6379 to_port = 6379 protocol = "TCP" From e077cd336b203e6276c43788549a29c75900d74a Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Tue, 22 Aug 2023 11:41:35 +0530 Subject: [PATCH 17/28] security group code updated --- security_group.tf | 11 +++++------ variables.tf | 16 ++++++++-------- 2 files changed, 13 insertions(+), 14 deletions(-) diff --git a/security_group.tf b/security_group.tf index a8741ff6..85e5f123 100644 --- a/security_group.tf +++ b/security_group.tf @@ -1,6 +1,5 @@ locals { - enabled = module.this.enabled - create_redis_security_group = local.enabled && var.create_redis_security_group + enabled = module.this.enabled } @@ -16,11 +15,11 @@ resource "aws_security_group" "redis" { } ingress { description = "Allow SGs and cidr to access Redis" - from_port = 6379 - to_port = 6379 + from_port = var.port + to_port = var.port protocol = "TCP" - cidr_blocks = var.redis_ingress_cidr_blocks - security_groups = var.redis_additional_security_groups + cidr_blocks = var.ingress_cidr_blocks + security_groups = var.additional_security_groups } tags = merge( diff --git a/variables.tf b/variables.tf index 15078c74..8a034e16 100644 --- a/variables.tf +++ b/variables.tf @@ -9,19 +9,19 @@ variable "subnets" { default = [] } -variable "redis_ingress_cidr_blocks" { +variable "port" { + description = "port no for redis ingress" + type = number + default = 6379 +} + +variable "ingress_cidr_blocks" { description = "List of IPv4 CIDR ranges to use on all ingress rules" type = list(string) default = [] } -variable "create_redis_security_group" { - description = "Weather or not to create a security group for redis" - type = bool - default = true -} - -variable "redis_additional_security_groups" { +variable "additional_security_groups" { description = "A list of security group IDs to assign to the Redis." type = list(string) default = [] From adb1342b9e18761d3ca9f9275605ca4e69ccdce0 Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Tue, 22 Aug 2023 11:45:13 +0530 Subject: [PATCH 18/28] security group code updated --- variables.tf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/variables.tf b/variables.tf index 8a034e16..0561ca41 100644 --- a/variables.tf +++ b/variables.tf @@ -9,12 +9,6 @@ variable "subnets" { default = [] } -variable "port" { - description = "port no for redis ingress" - type = number - default = 6379 -} - variable "ingress_cidr_blocks" { description = "List of IPv4 CIDR ranges to use on all ingress rules" type = list(string) From 813737e70b6b7bfe5fc9ae30b9d91126e5a60f80 Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Tue, 22 Aug 2023 16:52:30 +0530 Subject: [PATCH 19/28] sg variable name updated --- main.tf | 6 +++--- security_group.tf | 6 +----- variables.tf | 2 +- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/main.tf b/main.tf index 9a6f8df7..87bc555d 100644 --- a/main.tf +++ b/main.tf @@ -1,6 +1,6 @@ - - - +locals { + enabled = module.this.enabled +} locals { elasticache_subnet_group_name = var.elasticache_subnet_group_name != "" ? var.elasticache_subnet_group_name : join("", aws_elasticache_subnet_group.default[*].name) diff --git a/security_group.tf b/security_group.tf index 85e5f123..93f432b8 100644 --- a/security_group.tf +++ b/security_group.tf @@ -1,7 +1,3 @@ -locals { - enabled = module.this.enabled -} - resource "aws_security_group" "redis" { name = "${module.this.id}-redis-sg" @@ -19,7 +15,7 @@ resource "aws_security_group" "redis" { to_port = var.port protocol = "TCP" cidr_blocks = var.ingress_cidr_blocks - security_groups = var.additional_security_groups + security_groups = var.allowed_security_groups } tags = merge( diff --git a/variables.tf b/variables.tf index 0561ca41..6c787d11 100644 --- a/variables.tf +++ b/variables.tf @@ -15,7 +15,7 @@ variable "ingress_cidr_blocks" { default = [] } -variable "additional_security_groups" { +variable "allowed_security_groups" { description = "A list of security group IDs to assign to the Redis." type = list(string) default = [] From b9ebb9c73edadada06b26304adc895061d59cd70 Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Mon, 28 Aug 2023 09:42:52 +0530 Subject: [PATCH 20/28] chore: security group config added for redis cluster --- README.md | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index bc092b2f..fec51417 100644 --- a/README.md +++ b/README.md @@ -226,15 +226,13 @@ Available targets: | Name | Description | Type | Default | Required | | --------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [additional_security_group_rules](#input_additional_security_group_rules) | A list of Security Group rule objects to add to the created security group, in addition to the ones
this module normally creates. (To suppress the module's rules, set `create_security_group` to false
and supply your own security group via `associated_security_group_ids`.)
The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except
for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time.
To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . | `list(any)` | `[]` | no | | [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | | [alarm_actions](#input_alarm_actions) | Alarm action list | `list(string)` | `[]` | no | | [alarm_cpu_threshold_percent](#input_alarm_cpu_threshold_percent) | CPU threshold alarm level | `number` | `75` | no | | [alarm_memory_threshold_bytes](#input_alarm_memory_threshold_bytes) | Ram threshold alarm level | `number` | `10000000` | no | -| [allow_all_egress](#input_allow_all_egress) | If `true`, the created security group will allow egress on all ports and protocols to all IP address.
If this is false and no egress rules are otherwise specified, then no egress will be allowed.
Defaults to `true`. | `bool` | `null` | no | -| [allowed_security_group_ids](#input_allowed_security_group_ids) | A list of IDs of Security Groups to allow access to the security group created by this module. | `list(string)` | `[]` | no | +| [allow_all_egress](#input_allow_all_egress) | If `true`, the created security group will allow egress on all ports and protocols to all IP address.
If this is false and no egress rules are otherwise specified, then no egress will be allowed.
Defaults to `true`. | `bool` | `null` | no | | [apply_immediately](#input_apply_immediately) | Apply changes immediately | `bool` | `true` | no | -| [associated_security_group_ids](#input_associated_security_group_ids) | A list of IDs of Security Groups to associate the created resource with, in addition to the created security group.
These security groups will not be modified and, if `create_security_group` is `false`, must provide all the required access. | `list(string)` | `[]` | no | + | no | | [at_rest_encryption_enabled](#input_at_rest_encryption_enabled) | Enable encryption at rest | `bool` | `false` | no | | [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | | [auth_token](#input_auth_token) | Auth token for password protecting redis, `transit_encryption_enabled` must be set to `true`. Password must be longer than 16 chars | `string` | `null` | no | @@ -247,7 +245,7 @@ Available targets: | [cluster_mode_replicas_per_node_group](#input_cluster_mode_replicas_per_node_group) | Number of replica nodes in each node group. Valid values are 0 to 5. Changing this number will force a new resource | `number` | `0` | no | | [cluster_size](#input_cluster_size) | Number of nodes in cluster. _Ignored when `cluster_mode_enabled` == `true`_ | `number` | `1` | no | | [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` | 
{
 "additional_tag_map": {},
 "attributes": [],
 "delimiter": null,
 "descriptor_formats": {},
 "enabled": true,
 "environment": null,
 "id_length_limit": null,
 "label_key_case": null,
 "label_order": [],
 "label_value_case": null,
 "labels_as_tags": [
 "unset"
 ],
 "name": null,
 "namespace": null,
 "regex_replace_chars": null,
 "stage": null,
 "tags": {},
 "tenant": null
}
| no | -| [create_security_group](#input_create_security_group) | Set `true` to create and configure a new security group. If false, `associated_security_group_ids` must be provided. | `bool` | `true` | no | + | [data_tiering_enabled](#input_data_tiering_enabled) | Enables data tiering. Data tiering is only supported for replication groups using the r6gd node type. | `bool` | `false` | no | | [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | | [description](#input_description) | Description of elasticache replication group | `string` | `null` | no | @@ -278,11 +276,6 @@ Available targets: | [port](#input_port) | Redis port | `number` | `6379` | no | | [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | | [replication_group_id](#input_replication_group_id) | Replication group ID with the following constraints:
A name must contain from 1 to 20 alphanumeric characters or hyphens.
The first character must be a letter.
A name cannot end with a hyphen or contain two consecutive hyphens. | `string` | `""` | no | -| [security_group_create_before_destroy](#input_security_group_create_before_destroy) | Set `true` to enable Terraform `create_before_destroy` behavior on the created security group.
We only recommend setting this `false` if you are upgrading this module and need to keep
the existing security group from being replaced.
Note that changing this value will always cause the security group to be replaced. | `bool` | `true` | no | -| [security_group_create_timeout](#input_security_group_create_timeout) | How long to wait for the security group to be created. | `string` | `"10m"` | no | -| [security_group_delete_timeout](#input_security_group_delete_timeout) | How long to retry on `DependencyViolation` errors during security group deletion. | `string` | `"15m"` | no | -| [security_group_description](#input_security_group_description) | The description to assign to the created Security Group.
Warning: Changing the description causes the security group to be replaced.
Set this to `null` to maintain parity with releases <= `0.34.0`. | `string` | `"Security group for Elasticache Redis"` | no | -| [security_group_name](#input_security_group_name) | The name to assign to the created security group. Must be unique within the VPC.
If not provided, will be derived from the `null-label.context` passed in.
If `create_before_destroy` is true, will be used as a name prefix. | `list(string)` | `[]` | no | | [snapshot_arns](#input_snapshot_arns) | A single-element string list containing an Amazon Resource Name (ARN) of a Redis RDB snapshot file stored in Amazon S3. Example: arn:aws:s3:::my_bucket/snapshot1.rdb | `list(string)` | `[]` | no | | [snapshot_name](#input_snapshot_name) | The name of a snapshot from which to restore data into the new node group. Changing the snapshot_name forces a new resource. | `string` | `null` | no | | [snapshot_retention_limit](#input_snapshot_retention_limit) | The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. | `number` | `0` | no | @@ -295,7 +288,8 @@ Available targets: | [user_group_ids](#input_user_group_ids) | User Group ID to associate with the replication group | `list(string)` | `null` | no | | [vpc_id](#input_vpc_id) | VPC ID | `string` | n/a | yes | | [zone_id](#input_zone_id) | Route53 DNS Zone ID as list of string (0 or 1 items). If empty, no custom DNS name will be published.
If the list contains a single Zone ID, a custom DNS name will be pulished in that zone.
Can also be a plain string, but that use is DEPRECATED because of Terraform issues. | `any` | `[]` | no | - + [ingress_cidr_blocks](#ingress_cidr_blocks) | List of IPv4 CIDR ranges to use on all ingress rules.                                                     | `list(string)` | `[]` | no |     + [allowed_security_groups](#allowed_security_groups) | A list of security group IDs to assign to the Redis.                           | `list(string)` | `[]` | no | ## Outputs | Name | Description | From ffef99ef8e02fa9e6569fa5c9d5791e58ce24122 Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Mon, 28 Aug 2023 09:45:39 +0530 Subject: [PATCH 21/28] chore: fmt readme.md --- README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index fec51417..535312ad 100644 --- a/README.md +++ b/README.md @@ -231,8 +231,7 @@ Available targets: | [alarm_cpu_threshold_percent](#input_alarm_cpu_threshold_percent) | CPU threshold alarm level | `number` | `75` | no | | [alarm_memory_threshold_bytes](#input_alarm_memory_threshold_bytes) | Ram threshold alarm level | `number` | `10000000` | no | | [allow_all_egress](#input_allow_all_egress) | If `true`, the created security group will allow egress on all ports and protocols to all IP address.
If this is false and no egress rules are otherwise specified, then no egress will be allowed.
Defaults to `true`. | `bool` | `null` | no | -| [apply_immediately](#input_apply_immediately) | Apply changes immediately | `bool` | `true` | no | - | no | +| [apply_immediately](#input_apply_immediately) | Apply changes immediately | `bool` | `true` | no | | no | | [at_rest_encryption_enabled](#input_at_rest_encryption_enabled) | Enable encryption at rest | `bool` | `false` | no | | [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | | [auth_token](#input_auth_token) | Auth token for password protecting redis, `transit_encryption_enabled` must be set to `true`. Password must be longer than 16 chars | `string` | `null` | no | @@ -245,7 +244,6 @@ Available targets: | [cluster_mode_replicas_per_node_group](#input_cluster_mode_replicas_per_node_group) | Number of replica nodes in each node group. Valid values are 0 to 5. Changing this number will force a new resource | `number` | `0` | no | | [cluster_size](#input_cluster_size) | Number of nodes in cluster. _Ignored when `cluster_mode_enabled` == `true`_ | `number` | `1` | no | | [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` | 
{
 "additional_tag_map": {},
 "attributes": [],
 "delimiter": null,
 "descriptor_formats": {},
 "enabled": true,
 "environment": null,
 "id_length_limit": null,
 "label_key_case": null,
 "label_order": [],
 "label_value_case": null,
 "labels_as_tags": [
 "unset"
 ],
 "name": null,
 "namespace": null,
 "regex_replace_chars": null,
 "stage": null,
 "tags": {},
 "tenant": null
}
| no | - | [data_tiering_enabled](#input_data_tiering_enabled) | Enables data tiering. Data tiering is only supported for replication groups using the r6gd node type. | `bool` | `false` | no | | [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | | [description](#input_description) | Description of elasticache replication group | `string` | `null` | no | From 62159ff957c9a397996364fb69ddf447791166b0 Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Mon, 28 Aug 2023 11:06:19 +0530 Subject: [PATCH 22/28] variable description updated --- README.md | 4 ++-- main.tf | 4 +--- variables.tf | 5 ++--- 3 files changed, 5 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 535312ad..85743d9a 100644 --- a/README.md +++ b/README.md @@ -286,8 +286,8 @@ Available targets: | [user_group_ids](#input_user_group_ids) | User Group ID to associate with the replication group | `list(string)` | `null` | no | | [vpc_id](#input_vpc_id) | VPC ID | `string` | n/a | yes | | [zone_id](#input_zone_id) | Route53 DNS Zone ID as list of string (0 or 1 items). If empty, no custom DNS name will be published.
If the list contains a single Zone ID, a custom DNS name will be pulished in that zone.
Can also be a plain string, but that use is DEPRECATED because of Terraform issues. | `any` | `[]` | no | - [ingress_cidr_blocks](#ingress_cidr_blocks) | List of IPv4 CIDR ranges to use on all ingress rules.                                                     | `list(string)` | `[]` | no |     - [allowed_security_groups](#allowed_security_groups) | A list of security group IDs to assign to the Redis.                           | `list(string)` | `[]` | no | + [ingress_cidr_blocks](#ingress_cidr_blocks) | List of IPv4 CIDR ranges to allow in security group ingress.                                                     | `list(string)` | `[]` | no |     + [allowed_security_groups](#allowed_security_groups) | List of security group IDs to allow in security group ingress.                           | `list(string)` | `[]` | no | ## Outputs | Name | Description | diff --git a/main.tf b/main.tf index 87bc555d..ee9405dc 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,5 @@ locals { - enabled = module.this.enabled -} -locals { + enabled = module.this.enabled elasticache_subnet_group_name = var.elasticache_subnet_group_name != "" ? var.elasticache_subnet_group_name : join("", aws_elasticache_subnet_group.default[*].name) # if !cluster, then node_count = replica cluster_size, if cluster then node_count = shard*(replica + 1) diff --git a/variables.tf b/variables.tf index 6c787d11..294144ac 100644 --- a/variables.tf +++ b/variables.tf @@ -10,17 +10,16 @@ variable "subnets" { } variable "ingress_cidr_blocks" { - description = "List of IPv4 CIDR ranges to use on all ingress rules" + description = "List of IPv4 CIDR ranges to allow in security group ingress." type = list(string) default = [] } variable "allowed_security_groups" { - description = "A list of security group IDs to assign to the Redis." + description = "List of security group IDs to allow in security group ingress." type = list(string) default = [] } - variable "elasticache_subnet_group_name" { type = string description = "Subnet group name for the ElastiCache instance" From 8958b8391ef603e2e8234dead437373c1b0a8877 Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Mon, 28 Aug 2023 11:35:08 +0530 Subject: [PATCH 23/28] chore: updated readme.md --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 85743d9a..214b817e 100644 --- a/README.md +++ b/README.md @@ -230,7 +230,6 @@ Available targets: | [alarm_actions](#input_alarm_actions) | Alarm action list | `list(string)` | `[]` | no | | [alarm_cpu_threshold_percent](#input_alarm_cpu_threshold_percent) | CPU threshold alarm level | `number` | `75` | no | | [alarm_memory_threshold_bytes](#input_alarm_memory_threshold_bytes) | Ram threshold alarm level | `number` | `10000000` | no | -| [allow_all_egress](#input_allow_all_egress) | If `true`, the created security group will allow egress on all ports and protocols to all IP address.
If this is false and no egress rules are otherwise specified, then no egress will be allowed.
Defaults to `true`. | `bool` | `null` | no | | [apply_immediately](#input_apply_immediately) | Apply changes immediately | `bool` | `true` | no | | no | | [at_rest_encryption_enabled](#input_at_rest_encryption_enabled) | Enable encryption at rest | `bool` | `false` | no | | [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | From 16bf06c5c7354e8d5a8802f1fef17ceb8c12e833 Mon Sep 17 00:00:00 2001 From: Mohankumar-studiographene Date: Tue, 19 Sep 2023 13:21:28 +0530 Subject: [PATCH 24/28] Ref changes to SG modules --- README.md | 47 +------- README.yaml | 3 +- docs/terraform.md | 216 ++++++++++++++++++----------------- examples/complete/context.tf | 4 +- examples/complete/main.tf | 6 +- 5 files changed, 118 insertions(+), 158 deletions(-) diff --git a/README.md b/README.md index bc092b2f..a221c70b 100644 --- a/README.md +++ b/README.md @@ -1,52 +1,15 @@ - - -# terraform-aws-elasticache-redis [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-elasticache-redis.svg)](https://github.com/cloudposse/terraform-aws-elasticache-redis/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) - - - -[![README Header][readme_header_img]][readme_header_link] - -[![Cloud Posse][logo]](https://cpco.io/homepage) - - +Module Courtesy: **cloudposse** Terraform module to provision an [`ElastiCache`](https://aws.amazon.com/elasticache/) Redis Cluster --- -This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops) approach towards DevOps. -[][share_email] -[][share_googleplus] -[][share_facebook] -[][share_reddit] -[][share_linkedin] -[][share_twitter] - [![Terraform Open Source Modules](https://docs.cloudposse.com/images/terraform-open-source-modules.svg)][terraform_modules] It's 100% Open Source and licensed under the [APACHE2](LICENSE). -We literally have [_hundreds of terraform modules_][terraform_modules] that are Open Source and well-maintained. Check them out! - ## Security & Compliance [](https://bridgecrew.io/) Security scanning is graciously provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance. @@ -107,8 +70,7 @@ provider "aws" { } module "this" { - source = "cloudposse/label/null" - # Cloud Posse recommends pinning every module to a specific version + source = "app.terraform.io/studiographene/label/null" # version = "x.x.x" namespace = var.namespace stage = var.stage @@ -117,7 +79,6 @@ module "this" { module "vpc" { source = "cloudposse/vpc/aws" - # Cloud Posse recommends pinning every module to a specific version # version = "x.x.x" cidr_block = "172.16.0.0/16" @@ -127,7 +88,6 @@ module "vpc" { module "subnets" { source = "cloudposse/dynamic-subnets/aws" - # Cloud Posse recommends pinning every module to a specific version # version = "x.x.x" availability_zones = var.availability_zones @@ -142,7 +102,6 @@ module "subnets" { module "redis" { source = "cloudposse/elasticache-redis/aws" - # Cloud Posse recommends pinning every module to a specific version # version = "x.x.x" availability_zones = var.availability_zones diff --git a/README.yaml b/README.yaml index 9004b133..e84791ed 100644 --- a/README.yaml +++ b/README.yaml @@ -47,7 +47,6 @@ related: description: "Terraform module designed to generate consistent names and tags for resources. Use terraform-null-label to implement a strict naming convention." url: "https://github.com/cloudposse/terraform-null-label" - # Short description of this project description: |- Terraform module to provision an [`ElastiCache`](https://aws.amazon.com/elasticache/) Redis Cluster @@ -88,7 +87,7 @@ usage: |- } module "this" { - source = "cloudposse/label/null" + source = "app.terraform.io/studiographene/sg-label/null" # Cloud Posse recommends pinning every module to a specific version # version = "x.x.x" namespace = var.namespace diff --git a/docs/terraform.md b/docs/terraform.md index 21790268..17ea2e37 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -1,127 +1,129 @@ + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.3 | -| [aws](#requirement\_aws) | >= 4.18 | +| Name | Version | +| ------------------------------------------------------------------------ | ------- | +| [terraform](#requirement_terraform) | >= 1.3 | +| [aws](#requirement_aws) | >= 4.18 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.18 | +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | >= 4.18 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [aws\_security\_group](#module\_aws\_security\_group) | cloudposse/security-group/aws | 1.0.1 | -| [dns](#module\_dns) | cloudposse/route53-cluster-hostname/aws | 0.12.2 | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| ----------------------------------------------------------------------------------------- | --------------------------------------------- | ------- | +| [aws_security_group](#module_aws_security_group) | cloudposse/security-group/aws | 1.0.1 | +| [dns](#module_dns) | cloudposse/route53-cluster-hostname/aws | 0.12.2 | +| [this](#module_this) | app.terraform.io/studiographene/sg-label/null | 1.0.4 | ## Resources -| Name | Type | -|------|------| -| [aws_cloudwatch_metric_alarm.cache_cpu](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | -| [aws_cloudwatch_metric_alarm.cache_memory](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | -| [aws_elasticache_parameter_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_parameter_group) | resource | +| Name | Type | +| ------------------------------------------------------------------------------------------------------------------------------------------------------ | -------- | +| [aws_cloudwatch_metric_alarm.cache_cpu](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | +| [aws_cloudwatch_metric_alarm.cache_memory](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | +| [aws_elasticache_parameter_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_parameter_group) | resource | | [aws_elasticache_replication_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group) | resource | -| [aws_elasticache_subnet_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_subnet_group) | resource | +| [aws_elasticache_subnet_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_subnet_group) | resource | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_security\_group\_rules](#input\_additional\_security\_group\_rules) | A list of Security Group rule objects to add to the created security group, in addition to the ones
this module normally creates. (To suppress the module's rules, set `create_security_group` to false
and supply your own security group via `associated_security_group_ids`.)
The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except
for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time.
To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . | `list(any)` | `[]` | no | -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [alarm\_actions](#input\_alarm\_actions) | Alarm action list | `list(string)` | `[]` | no | -| [alarm\_cpu\_threshold\_percent](#input\_alarm\_cpu\_threshold\_percent) | CPU threshold alarm level | `number` | `75` | no | -| [alarm\_memory\_threshold\_bytes](#input\_alarm\_memory\_threshold\_bytes) | Ram threshold alarm level | `number` | `10000000` | no | -| [allow\_all\_egress](#input\_allow\_all\_egress) | If `true`, the created security group will allow egress on all ports and protocols to all IP address.
If this is false and no egress rules are otherwise specified, then no egress will be allowed.
Defaults to `true` unless the deprecated `egress_cidr_blocks` is provided and is not `["0.0.0.0/0"]`, in which case defaults to `false`. | `bool` | `null` | no | -| [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | DEPRECATED: Use `additional_security_group_rules` instead.
Historical description: List of CIDR blocks that are allowed ingress to the cluster's Security Group created in the module | `list(string)` | `[]` | no | -| [allowed\_security\_group\_ids](#input\_allowed\_security\_group\_ids) | A list of IDs of Security Groups to allow access to the security group created by this module. | `list(string)` | `[]` | no | -| [allowed\_security\_groups](#input\_allowed\_security\_groups) | DEPRECATED: Use `allowed_security_group_ids` instead. | `list(string)` | `[]` | no | -| [apply\_immediately](#input\_apply\_immediately) | Apply changes immediately | `bool` | `true` | no | -| [associated\_security\_group\_ids](#input\_associated\_security\_group\_ids) | A list of IDs of Security Groups to associate the created resource with, in addition to the created security group.
These security groups will not be modified and, if `create_security_group` is `false`, must provide all the required access. | `list(string)` | `[]` | no | -| [at\_rest\_encryption\_enabled](#input\_at\_rest\_encryption\_enabled) | Enable encryption at rest | `bool` | `false` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [auth\_token](#input\_auth\_token) | Auth token for password protecting redis, `transit_encryption_enabled` must be set to `true`. Password must be longer than 16 chars | `string` | `null` | no | -| [auto\_minor\_version\_upgrade](#input\_auto\_minor\_version\_upgrade) | Specifies whether minor version engine upgrades will be applied automatically to the underlying Cache Cluster instances during the maintenance window. Only supported if the engine version is 6 or higher. | `bool` | `null` | no | -| [automatic\_failover\_enabled](#input\_automatic\_failover\_enabled) | Automatic failover (Not available for T1/T2 instances) | `bool` | `false` | no | -| [availability\_zones](#input\_availability\_zones) | Availability zone IDs | `list(string)` | `[]` | no | -| [cloudwatch\_metric\_alarms\_enabled](#input\_cloudwatch\_metric\_alarms\_enabled) | Boolean flag to enable/disable CloudWatch metrics alarms | `bool` | `false` | no | -| [cluster\_mode\_enabled](#input\_cluster\_mode\_enabled) | Flag to enable/disable creation of a native redis cluster. `automatic_failover_enabled` must be set to `true`. Only 1 `cluster_mode` block is allowed | `bool` | `false` | no | -| [cluster\_mode\_num\_node\_groups](#input\_cluster\_mode\_num\_node\_groups) | Number of node groups (shards) for this Redis replication group. Changing this number will trigger an online resizing operation before other settings modifications | `number` | `0` | no | -| [cluster\_mode\_replicas\_per\_node\_group](#input\_cluster\_mode\_replicas\_per\_node\_group) | Number of replica nodes in each node group. Valid values are 0 to 5. Changing this number will force a new resource | `number` | `0` | no | -| [cluster\_size](#input\_cluster\_size) | Number of nodes in cluster. *Ignored when `cluster_mode_enabled` == `true`* | `number` | `1` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | -| [create\_security\_group](#input\_create\_security\_group) | Set `true` to create and configure a new security group. If false, `associated_security_group_ids` must be provided. | `bool` | `true` | no | -| [data\_tiering\_enabled](#input\_data\_tiering\_enabled) | Enables data tiering. Data tiering is only supported for replication groups using the r6gd node type. | `bool` | `false` | no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [description](#input\_description) | Description of elasticache replication group | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [dns\_subdomain](#input\_dns\_subdomain) | The subdomain to use for the CNAME record. If not provided then the CNAME record will use var.name. | `string` | `""` | no | -| [egress\_cidr\_blocks](#input\_egress\_cidr\_blocks) | DEPRECATED: Use `allow_all_egress` and `additional_security_group_rules` instead.
Historical description: Outbound traffic address.
Historical default: ["0.0.0.0/0"] | `list(any)` | `null` | no | -| [elasticache\_subnet\_group\_name](#input\_elasticache\_subnet\_group\_name) | Subnet group name for the ElastiCache instance | `string` | `""` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [engine\_version](#input\_engine\_version) | Redis engine version | `string` | `"4.0.10"` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [existing\_security\_groups](#input\_existing\_security\_groups) | DEPRECATED: Use `associated_security_group_ids` instead.
Historical description: List of existing Security Group IDs to place the cluster into.
Set `use_existing_security_groups` to `true` to enable using `existing_security_groups` as Security Groups for the cluster. | `list(string)` | `[]` | no | -| [family](#input\_family) | Redis family | `string` | `"redis4.0"` | no | -| [final\_snapshot\_identifier](#input\_final\_snapshot\_identifier) | The name of your final node group (shard) snapshot. ElastiCache creates the snapshot from the primary node in the cluster. If omitted, no final snapshot will be made. | `string` | `null` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [instance\_type](#input\_instance\_type) | Elastic cache instance type | `string` | `"cache.t2.micro"` | no | -| [kms\_key\_id](#input\_kms\_key\_id) | The ARN of the key that you wish to use if encrypting at rest. If not supplied, uses service managed encryption. `at_rest_encryption_enabled` must be set to `true` | `string` | `null` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
  "default"
]
| no | -| [log\_delivery\_configuration](#input\_log\_delivery\_configuration) | The log\_delivery\_configuration block allows the streaming of Redis SLOWLOG or Redis Engine Log to CloudWatch Logs or Kinesis Data Firehose. Max of 2 blocks. | `list(map(any))` | `[]` | no | -| [maintenance\_window](#input\_maintenance\_window) | Maintenance window | `string` | `"wed:03:00-wed:04:00"` | no | -| [multi\_az\_enabled](#input\_multi\_az\_enabled) | Multi AZ (Automatic Failover must also be enabled. If Cluster Mode is enabled, Multi AZ is on by default, and this setting is ignored) | `bool` | `false` | no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [notification\_topic\_arn](#input\_notification\_topic\_arn) | Notification topic arn | `string` | `""` | no | -| [ok\_actions](#input\_ok\_actions) | The list of actions to execute when this alarm transitions into an OK state from any other state. Each action is specified as an Amazon Resource Number (ARN) | `list(string)` | `[]` | no | -| [parameter](#input\_parameter) | A list of Redis parameters to apply. Note that parameters may differ from one Redis family to another | 
list(object({
    name  = string
    value = string
  }))
| `[]` | no | -| [parameter\_group\_description](#input\_parameter\_group\_description) | Managed by Terraform | `string` | `null` | no | -| [port](#input\_port) | Redis port | `number` | `6379` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [replication\_group\_id](#input\_replication\_group\_id) | Replication group ID with the following constraints:
A name must contain from 1 to 20 alphanumeric characters or hyphens.
The first character must be a letter.
A name cannot end with a hyphen or contain two consecutive hyphens. | `string` | `""` | no | -| [security\_group\_create\_before\_destroy](#input\_security\_group\_create\_before\_destroy) | Set `true` to enable Terraform `create_before_destroy` behavior on the created security group.
We only recommend setting this `false` if you are upgrading this module and need to keep
the existing security group from being replaced.
Note that changing this value will always cause the security group to be replaced. | `bool` | `true` | no | -| [security\_group\_create\_timeout](#input\_security\_group\_create\_timeout) | How long to wait for the security group to be created. | `string` | `"10m"` | no | -| [security\_group\_delete\_timeout](#input\_security\_group\_delete\_timeout) | How long to retry on `DependencyViolation` errors during security group deletion. | `string` | `"15m"` | no | -| [security\_group\_description](#input\_security\_group\_description) | The description to assign to the created Security Group.
Warning: Changing the description causes the security group to be replaced.
Set this to `null` to maintain parity with releases <= `0.34.0`. | `string` | `"Security group for Elasticache Redis"` | no | -| [security\_group\_name](#input\_security\_group\_name) | The name to assign to the created security group. Must be unique within the VPC.
If not provided, will be derived from the `null-label.context` passed in.
If `create_before_destroy` is true, will be used as a name prefix. | `list(string)` | `[]` | no | -| [snapshot\_arns](#input\_snapshot\_arns) | A single-element string list containing an Amazon Resource Name (ARN) of a Redis RDB snapshot file stored in Amazon S3. Example: arn:aws:s3:::my\_bucket/snapshot1.rdb | `list(string)` | `[]` | no | -| [snapshot\_name](#input\_snapshot\_name) | The name of a snapshot from which to restore data into the new node group. Changing the snapshot\_name forces a new resource. | `string` | `null` | no | -| [snapshot\_retention\_limit](#input\_snapshot\_retention\_limit) | The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. | `number` | `0` | no | -| [snapshot\_window](#input\_snapshot\_window) | The daily time range (in UTC) during which ElastiCache will begin taking a daily snapshot of your cache cluster. | `string` | `"06:30-07:30"` | no | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [subnets](#input\_subnets) | Subnet IDs | `list(string)` | `[]` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [transit\_encryption\_enabled](#input\_transit\_encryption\_enabled) | Set `true` to enable encryption in transit. Forced `true` if `var.auth_token` is set.
If this is enabled, use the [following guide](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls) to access redis. | `bool` | `true` | no | -| [use\_existing\_security\_groups](#input\_use\_existing\_security\_groups) | DEPRECATED: Use `create_security_group` instead.
Historical description: Flag to enable/disable creation of Security Group in the module.
Set to `true` to disable Security Group creation and provide a list of existing security Group IDs in `existing_security_groups` to place the cluster into.
Historical default: `false` | `bool` | `null` | no | -| [user\_group\_ids](#input\_user\_group\_ids) | User Group ID to associate with the replication group | `list(string)` | `null` | no | -| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes | -| [zone\_id](#input\_zone\_id) | Route53 DNS Zone ID as list of string (0 or 1 items). If empty, no custom DNS name will be published.
If the list contains a single Zone ID, a custom DNS name will be pulished in that zone.
Can also be a plain string, but that use is DEPRECATED because of Terraform issues. | `any` | `[]` | no | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [additional_security_group_rules](#input_additional_security_group_rules) | A list of Security Group rule objects to add to the created security group, in addition to the ones
this module normally creates. (To suppress the module's rules, set `create_security_group` to false
and supply your own security group via `associated_security_group_ids`.)
The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except
for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time.
To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . | `list(any)` | `[]` | no | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [alarm_actions](#input_alarm_actions) | Alarm action list | `list(string)` | `[]` | no | +| [alarm_cpu_threshold_percent](#input_alarm_cpu_threshold_percent) | CPU threshold alarm level | `number` | `75` | no | +| [alarm_memory_threshold_bytes](#input_alarm_memory_threshold_bytes) | Ram threshold alarm level | `number` | `10000000` | no | +| [allow_all_egress](#input_allow_all_egress) | If `true`, the created security group will allow egress on all ports and protocols to all IP address.
If this is false and no egress rules are otherwise specified, then no egress will be allowed.
Defaults to `true` unless the deprecated `egress_cidr_blocks` is provided and is not `["0.0.0.0/0"]`, in which case defaults to `false`. | `bool` | `null` | no | +| [allowed_cidr_blocks](#input_allowed_cidr_blocks) | DEPRECATED: Use `additional_security_group_rules` instead.
Historical description: List of CIDR blocks that are allowed ingress to the cluster's Security Group created in the module | `list(string)` | `[]` | no | +| [allowed_security_group_ids](#input_allowed_security_group_ids) | A list of IDs of Security Groups to allow access to the security group created by this module. | `list(string)` | `[]` | no | +| [allowed_security_groups](#input_allowed_security_groups) | DEPRECATED: Use `allowed_security_group_ids` instead. | `list(string)` | `[]` | no | +| [apply_immediately](#input_apply_immediately) | Apply changes immediately | `bool` | `true` | no | +| [associated_security_group_ids](#input_associated_security_group_ids) | A list of IDs of Security Groups to associate the created resource with, in addition to the created security group.
These security groups will not be modified and, if `create_security_group` is `false`, must provide all the required access. | `list(string)` | `[]` | no | +| [at_rest_encryption_enabled](#input_at_rest_encryption_enabled) | Enable encryption at rest | `bool` | `false` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [auth_token](#input_auth_token) | Auth token for password protecting redis, `transit_encryption_enabled` must be set to `true`. Password must be longer than 16 chars | `string` | `null` | no | +| [auto_minor_version_upgrade](#input_auto_minor_version_upgrade) | Specifies whether minor version engine upgrades will be applied automatically to the underlying Cache Cluster instances during the maintenance window. Only supported if the engine version is 6 or higher. | `bool` | `null` | no | +| [automatic_failover_enabled](#input_automatic_failover_enabled) | Automatic failover (Not available for T1/T2 instances) | `bool` | `false` | no | +| [availability_zones](#input_availability_zones) | Availability zone IDs | `list(string)` | `[]` | no | +| [cloudwatch_metric_alarms_enabled](#input_cloudwatch_metric_alarms_enabled) | Boolean flag to enable/disable CloudWatch metrics alarms | `bool` | `false` | no | +| [cluster_mode_enabled](#input_cluster_mode_enabled) | Flag to enable/disable creation of a native redis cluster. `automatic_failover_enabled` must be set to `true`. Only 1 `cluster_mode` block is allowed | `bool` | `false` | no | +| [cluster_mode_num_node_groups](#input_cluster_mode_num_node_groups) | Number of node groups (shards) for this Redis replication group. Changing this number will trigger an online resizing operation before other settings modifications | `number` | `0` | no | +| [cluster_mode_replicas_per_node_group](#input_cluster_mode_replicas_per_node_group) | Number of replica nodes in each node group. Valid values are 0 to 5. Changing this number will force a new resource | `number` | `0` | no | +| [cluster_size](#input_cluster_size) | Number of nodes in cluster. _Ignored when `cluster_mode_enabled` == `true`_ | `number` | `1` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` | 
{
 "additional_tag_map": {},
 "attributes": [],
 "delimiter": null,
 "descriptor_formats": {},
 "enabled": true,
 "environment": null,
 "id_length_limit": null,
 "label_key_case": null,
 "label_order": [],
 "label_value_case": null,
 "labels_as_tags": [
 "unset"
 ],
 "name": null,
 "namespace": null,
 "regex_replace_chars": null,
 "stage": null,
 "tags": {},
 "tenant": null
}
| no | +| [create_security_group](#input_create_security_group) | Set `true` to create and configure a new security group. If false, `associated_security_group_ids` must be provided. | `bool` | `true` | no | +| [data_tiering_enabled](#input_data_tiering_enabled) | Enables data tiering. Data tiering is only supported for replication groups using the r6gd node type. | `bool` | `false` | no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [description](#input_description) | Description of elasticache replication group | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [dns_subdomain](#input_dns_subdomain) | The subdomain to use for the CNAME record. If not provided then the CNAME record will use var.name. | `string` | `""` | no | +| [egress_cidr_blocks](#input_egress_cidr_blocks) | DEPRECATED: Use `allow_all_egress` and `additional_security_group_rules` instead.
Historical description: Outbound traffic address.
Historical default: ["0.0.0.0/0"] | `list(any)` | `null` | no | +| [elasticache_subnet_group_name](#input_elasticache_subnet_group_name) | Subnet group name for the ElastiCache instance | `string` | `""` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [engine_version](#input_engine_version) | Redis engine version | `string` | `"4.0.10"` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [existing_security_groups](#input_existing_security_groups) | DEPRECATED: Use `associated_security_group_ids` instead.
Historical description: List of existing Security Group IDs to place the cluster into.
Set `use_existing_security_groups` to `true` to enable using `existing_security_groups` as Security Groups for the cluster. | `list(string)` | `[]` | no | +| [family](#input_family) | Redis family | `string` | `"redis4.0"` | no | +| [final_snapshot_identifier](#input_final_snapshot_identifier) | The name of your final node group (shard) snapshot. ElastiCache creates the snapshot from the primary node in the cluster. If omitted, no final snapshot will be made. | `string` | `null` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [instance_type](#input_instance_type) | Elastic cache instance type | `string` | `"cache.t2.micro"` | no | +| [kms_key_id](#input_kms_key_id) | The ARN of the key that you wish to use if encrypting at rest. If not supplied, uses service managed encryption. `at_rest_encryption_enabled` must be set to `true` | `string` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
 "default"
]
| no | +| [log_delivery_configuration](#input_log_delivery_configuration) | The log_delivery_configuration block allows the streaming of Redis SLOWLOG or Redis Engine Log to CloudWatch Logs or Kinesis Data Firehose. Max of 2 blocks. | `list(map(any))` | `[]` | no | +| [maintenance_window](#input_maintenance_window) | Maintenance window | `string` | `"wed:03:00-wed:04:00"` | no | +| [multi_az_enabled](#input_multi_az_enabled) | Multi AZ (Automatic Failover must also be enabled. If Cluster Mode is enabled, Multi AZ is on by default, and this setting is ignored) | `bool` | `false` | no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [notification_topic_arn](#input_notification_topic_arn) | Notification topic arn | `string` | `""` | no | +| [ok_actions](#input_ok_actions) | The list of actions to execute when this alarm transitions into an OK state from any other state. Each action is specified as an Amazon Resource Number (ARN) | `list(string)` | `[]` | no | +| [parameter](#input_parameter) | A list of Redis parameters to apply. Note that parameters may differ from one Redis family to another | 
list(object({
 name = string
 value = string
 }))
| `[]` | no | +| [parameter_group_description](#input_parameter_group_description) | Managed by Terraform | `string` | `null` | no | +| [port](#input_port) | Redis port | `number` | `6379` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [replication_group_id](#input_replication_group_id) | Replication group ID with the following constraints:
A name must contain from 1 to 20 alphanumeric characters or hyphens.
The first character must be a letter.
A name cannot end with a hyphen or contain two consecutive hyphens. | `string` | `""` | no | +| [security_group_create_before_destroy](#input_security_group_create_before_destroy) | Set `true` to enable Terraform `create_before_destroy` behavior on the created security group.
We only recommend setting this `false` if you are upgrading this module and need to keep
the existing security group from being replaced.
Note that changing this value will always cause the security group to be replaced. | `bool` | `true` | no | +| [security_group_create_timeout](#input_security_group_create_timeout) | How long to wait for the security group to be created. | `string` | `"10m"` | no | +| [security_group_delete_timeout](#input_security_group_delete_timeout) | How long to retry on `DependencyViolation` errors during security group deletion. | `string` | `"15m"` | no | +| [security_group_description](#input_security_group_description) | The description to assign to the created Security Group.
Warning: Changing the description causes the security group to be replaced.
Set this to `null` to maintain parity with releases <= `0.34.0`. | `string` | `"Security group for Elasticache Redis"` | no | +| [security_group_name](#input_security_group_name) | The name to assign to the created security group. Must be unique within the VPC.
If not provided, will be derived from the `null-label.context` passed in.
If `create_before_destroy` is true, will be used as a name prefix. | `list(string)` | `[]` | no | +| [snapshot_arns](#input_snapshot_arns) | A single-element string list containing an Amazon Resource Name (ARN) of a Redis RDB snapshot file stored in Amazon S3. Example: arn:aws:s3:::my_bucket/snapshot1.rdb | `list(string)` | `[]` | no | +| [snapshot_name](#input_snapshot_name) | The name of a snapshot from which to restore data into the new node group. Changing the snapshot_name forces a new resource. | `string` | `null` | no | +| [snapshot_retention_limit](#input_snapshot_retention_limit) | The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. | `number` | `0` | no | +| [snapshot_window](#input_snapshot_window) | The daily time range (in UTC) during which ElastiCache will begin taking a daily snapshot of your cache cluster. | `string` | `"06:30-07:30"` | no | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [subnets](#input_subnets) | Subnet IDs | `list(string)` | `[]` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [transit_encryption_enabled](#input_transit_encryption_enabled) | Set `true` to enable encryption in transit. Forced `true` if `var.auth_token` is set.
If this is enabled, use the [following guide](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls) to access redis. | `bool` | `true` | no | +| [use_existing_security_groups](#input_use_existing_security_groups) | DEPRECATED: Use `create_security_group` instead.
Historical description: Flag to enable/disable creation of Security Group in the module.
Set to `true` to disable Security Group creation and provide a list of existing security Group IDs in `existing_security_groups` to place the cluster into.
Historical default: `false` | `bool` | `null` | no | +| [user_group_ids](#input_user_group_ids) | User Group ID to associate with the replication group | `list(string)` | `null` | no | +| [vpc_id](#input_vpc_id) | VPC ID | `string` | n/a | yes | +| [zone_id](#input_zone_id) | Route53 DNS Zone ID as list of string (0 or 1 items). If empty, no custom DNS name will be published.
If the list contains a single Zone ID, a custom DNS name will be pulished in that zone.
Can also be a plain string, but that use is DEPRECATED because of Terraform issues. | `any` | `[]` | no | ## Outputs -| Name | Description | -|------|-------------| -| [arn](#output\_arn) | Elasticache Replication Group ARN | -| [cluster\_enabled](#output\_cluster\_enabled) | Indicates if cluster mode is enabled | -| [endpoint](#output\_endpoint) | Redis primary or configuration endpoint, whichever is appropriate for the given cluster mode | -| [engine\_version\_actual](#output\_engine\_version\_actual) | The running version of the cache engine | -| [host](#output\_host) | Redis hostname | -| [id](#output\_id) | Redis cluster ID | -| [member\_clusters](#output\_member\_clusters) | Redis cluster members | -| [port](#output\_port) | Redis port | -| [reader\_endpoint\_address](#output\_reader\_endpoint\_address) | The address of the endpoint for the reader node in the replication group, if the cluster mode is disabled. | -| [security\_group\_id](#output\_security\_group\_id) | The ID of the created security group | -| [security\_group\_name](#output\_security\_group\_name) | The name of the created security group | +| Name | Description | +| -------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | +| [arn](#output_arn) | Elasticache Replication Group ARN | +| [cluster_enabled](#output_cluster_enabled) | Indicates if cluster mode is enabled | +| [endpoint](#output_endpoint) | Redis primary or configuration endpoint, whichever is appropriate for the given cluster mode | +| [engine_version_actual](#output_engine_version_actual) | The running version of the cache engine | +| [host](#output_host) | Redis hostname | +| [id](#output_id) | Redis cluster ID | +| [member_clusters](#output_member_clusters) | Redis cluster members | +| [port](#output_port) | Redis port | +| [reader_endpoint_address](#output_reader_endpoint_address) | The address of the endpoint for the reader node in the replication group, if the cluster mode is disabled. | +| [security_group_id](#output_security_group_id) | The ID of the created security group | +| [security_group_name](#output_security_group_name) | The name of the created security group | + diff --git a/examples/complete/context.tf b/examples/complete/context.tf index 5e0ef885..312883a3 100644 --- a/examples/complete/context.tf +++ b/examples/complete/context.tf @@ -21,8 +21,8 @@ # module "this" { - source = "cloudposse/label/null" - version = "0.25.0" # requires Terraform >= 0.13.0 + source = "app.terraform.io/studiographene/sg-label/null" + version = "1.0.4" # requires Terraform >= 0.13.0 enabled = var.enabled namespace = var.namespace diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 03d8bac3..bac291ea 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -3,7 +3,7 @@ provider "aws" { } module "vpc" { - source = "cloudposse/vpc/aws" + source = "app.terraform.io/studiographene/sg-label/vpc/aws" version = "2.1.0" ipv4_primary_cidr_block = "172.16.0.0/16" @@ -12,7 +12,7 @@ module "vpc" { } module "subnets" { - source = "cloudposse/dynamic-subnets/aws" + source = "app.terraform.io/studiographene/sg-label/dynamic-subnets/aws" version = "2.3.0" availability_zones = var.availability_zones @@ -35,7 +35,7 @@ resource "aws_route53_zone" "private" { } module "cloudwatch_logs" { - source = "cloudposse/cloudwatch-logs/aws" + source = "app.terraform.io/studiographene/sg-label/cloudwatch-logs/aws" version = "0.6.5" context = module.this.context From 9855b49bd6df5ee545f3d28dd417a79a0788af70 Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Fri, 28 Jun 2024 13:06:29 +0530 Subject: [PATCH 25/28] feat(scans): Added CI workflow for IaC scans --- .github/workflows/ci.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000..fd84890f --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,29 @@ + +name: ci +on: + pull_request: + branches: ["main", "master"] + +jobs: + find_all_layers: + runs-on: ubuntu-latest + name: Available TF layers + outputs: + LAYERS: ${{ steps.find_layers.outputs.LAYERS }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Finding available layers + id: find_layers + run: | + DIR_LIST=$(find ./tf/layers -mindepth 1 -maxdepth 1 -type d -exec printf '{{"directory": "%s"}}' {{}} \; | jq -s . | jq -c 'map(.directory)') + echo Avalilable Layers are $DIR_LIST ... + echo "LAYERS=${{DIR_LIST}}" >> $GITHUB_OUTPUT + + call-workflow: + uses: studiographene/github-action-workflows/.github/workflows/checkov-terraform-iac-scan.yml@master # if you want alternatively pin to tag version + secrets: inherit + needs: find_all_layers + with: + directories: ${{needs.find_all_layers.outputs.LAYERS}} From 4e2750b661842c72216b71eb4ee991b8a0ddaccc Mon Sep 17 00:00:00 2001 From: Aakash Deshpande Date: Mon, 1 Jul 2024 11:57:18 +0530 Subject: [PATCH 26/28] feat: updated iac scan workflow --- .github/workflows/ci.yml | 23 ++--------------------- 1 file changed, 2 insertions(+), 21 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fd84890f..3fe750a6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,25 +5,6 @@ on: branches: ["main", "master"] jobs: - find_all_layers: - runs-on: ubuntu-latest - name: Available TF layers - outputs: - LAYERS: ${{ steps.find_layers.outputs.LAYERS }} - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Finding available layers - id: find_layers - run: | - DIR_LIST=$(find ./tf/layers -mindepth 1 -maxdepth 1 -type d -exec printf '{{"directory": "%s"}}' {{}} \; | jq -s . | jq -c 'map(.directory)') - echo Avalilable Layers are $DIR_LIST ... - echo "LAYERS=${{DIR_LIST}}" >> $GITHUB_OUTPUT - - call-workflow: - uses: studiographene/github-action-workflows/.github/workflows/checkov-terraform-iac-scan.yml@master # if you want alternatively pin to tag version + call-worflow: + uses: studiographene/github-action-workflows/.github/workflows/checkov-terraform-iac-scan.yml@master secrets: inherit - needs: find_all_layers - with: - directories: ${{needs.find_all_layers.outputs.LAYERS}} From 6f0ff13c47a75a8cac25a5a6ce2cc0911533882c Mon Sep 17 00:00:00 2001 From: Mohan Kumar Date: Mon, 16 Jun 2025 17:05:47 +0530 Subject: [PATCH 27/28] fix(ENB-28): Security group rules moved to resources --- README.md | 129 ++++++++++++++++++++++++---------------------- README_VERSION.md | 7 +++ security_group.tf | 57 +++++++++++++++----- variables.tf | 7 +++ 4 files changed, 123 insertions(+), 77 deletions(-) create mode 100644 README_VERSION.md diff --git a/README.md b/README.md index 5b319ebe..34d83e56 100644 --- a/README.md +++ b/README.md @@ -183,69 +183,72 @@ Available targets: ## Inputs -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [alarm_actions](#input_alarm_actions) | Alarm action list | `list(string)` | `[]` | no | -| [alarm_cpu_threshold_percent](#input_alarm_cpu_threshold_percent) | CPU threshold alarm level | `number` | `75` | no | -| [alarm_memory_threshold_bytes](#input_alarm_memory_threshold_bytes) | Ram threshold alarm level | `number` | `10000000` | no | -| [apply_immediately](#input_apply_immediately) | Apply changes immediately | `bool` | `true` | no | | no | -| [at_rest_encryption_enabled](#input_at_rest_encryption_enabled) | Enable encryption at rest | `bool` | `false` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [auth_token](#input_auth_token) | Auth token for password protecting redis, `transit_encryption_enabled` must be set to `true`. Password must be longer than 16 chars | `string` | `null` | no | -| [auto_minor_version_upgrade](#input_auto_minor_version_upgrade) | Specifies whether minor version engine upgrades will be applied automatically to the underlying Cache Cluster instances during the maintenance window. Only supported if the engine version is 6 or higher. | `bool` | `null` | no | -| [automatic_failover_enabled](#input_automatic_failover_enabled) | Automatic failover (Not available for T1/T2 instances) | `bool` | `false` | no | -| [availability_zones](#input_availability_zones) | Availability zone IDs | `list(string)` | `[]` | no | -| [cloudwatch_metric_alarms_enabled](#input_cloudwatch_metric_alarms_enabled) | Boolean flag to enable/disable CloudWatch metrics alarms | `bool` | `false` | no | -| [cluster_mode_enabled](#input_cluster_mode_enabled) | Flag to enable/disable creation of a native redis cluster. `automatic_failover_enabled` must be set to `true`. Only 1 `cluster_mode` block is allowed | `bool` | `false` | no | -| [cluster_mode_num_node_groups](#input_cluster_mode_num_node_groups) | Number of node groups (shards) for this Redis replication group. Changing this number will trigger an online resizing operation before other settings modifications | `number` | `0` | no | -| [cluster_mode_replicas_per_node_group](#input_cluster_mode_replicas_per_node_group) | Number of replica nodes in each node group. Valid values are 0 to 5. Changing this number will force a new resource | `number` | `0` | no | -| [cluster_size](#input_cluster_size) | Number of nodes in cluster. _Ignored when `cluster_mode_enabled` == `true`_ | `number` | `1` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` | 
{
 "additional_tag_map": {},
 "attributes": [],
 "delimiter": null,
 "descriptor_formats": {},
 "enabled": true,
 "environment": null,
 "id_length_limit": null,
 "label_key_case": null,
 "label_order": [],
 "label_value_case": null,
 "labels_as_tags": [
 "unset"
 ],
 "name": null,
 "namespace": null,
 "regex_replace_chars": null,
 "stage": null,
 "tags": {},
 "tenant": null
}
| no | -| [data_tiering_enabled](#input_data_tiering_enabled) | Enables data tiering. Data tiering is only supported for replication groups using the r6gd node type. | `bool` | `false` | no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [description](#input_description) | Description of elasticache replication group | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [dns_subdomain](#input_dns_subdomain) | The subdomain to use for the CNAME record. If not provided then the CNAME record will use var.name. | `string` | `""` | no | -| [elasticache_subnet_group_name](#input_elasticache_subnet_group_name) | Subnet group name for the ElastiCache instance | `string` | `""` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [engine_version](#input_engine_version) | Redis engine version | `string` | `"4.0.10"` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [family](#input_family) | Redis family | `string` | `"redis4.0"` | no | -| [final_snapshot_identifier](#input_final_snapshot_identifier) | The name of your final node group (shard) snapshot. ElastiCache creates the snapshot from the primary node in the cluster. If omitted, no final snapshot will be made. | `string` | `null` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [instance_type](#input_instance_type) | Elastic cache instance type | `string` | `"cache.t2.micro"` | no | -| [kms_key_id](#input_kms_key_id) | The ARN of the key that you wish to use if encrypting at rest. If not supplied, uses service managed encryption. `at_rest_encryption_enabled` must be set to `true` | `string` | `null` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
 "default"
]
| no | -| [log_delivery_configuration](#input_log_delivery_configuration) | The log_delivery_configuration block allows the streaming of Redis SLOWLOG or Redis Engine Log to CloudWatch Logs or Kinesis Data Firehose. Max of 2 blocks. | `list(map(any))` | `[]` | no | -| [maintenance_window](#input_maintenance_window) | Maintenance window | `string` | `"wed:03:00-wed:04:00"` | no | -| [multi_az_enabled](#input_multi_az_enabled) | Multi AZ (Automatic Failover must also be enabled. If Cluster Mode is enabled, Multi AZ is on by default, and this setting is ignored) | `bool` | `false` | no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [notification_topic_arn](#input_notification_topic_arn) | Notification topic arn | `string` | `""` | no | -| [ok_actions](#input_ok_actions) | The list of actions to execute when this alarm transitions into an OK state from any other state. Each action is specified as an Amazon Resource Number (ARN) | `list(string)` | `[]` | no | -| [parameter](#input_parameter) | A list of Redis parameters to apply. Note that parameters may differ from one Redis family to another | 
list(object({
 name = string
 value = string
 }))
| `[]` | no | -| [parameter_group_description](#input_parameter_group_description) | Managed by Terraform | `string` | `null` | no | -| [port](#input_port) | Redis port | `number` | `6379` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [replication_group_id](#input_replication_group_id) | Replication group ID with the following constraints:
A name must contain from 1 to 20 alphanumeric characters or hyphens.
The first character must be a letter.
A name cannot end with a hyphen or contain two consecutive hyphens. | `string` | `""` | no | -| [snapshot_arns](#input_snapshot_arns) | A single-element string list containing an Amazon Resource Name (ARN) of a Redis RDB snapshot file stored in Amazon S3. Example: arn:aws:s3:::my_bucket/snapshot1.rdb | `list(string)` | `[]` | no | -| [snapshot_name](#input_snapshot_name) | The name of a snapshot from which to restore data into the new node group. Changing the snapshot_name forces a new resource. | `string` | `null` | no | -| [snapshot_retention_limit](#input_snapshot_retention_limit) | The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. | `number` | `0` | no | -| [snapshot_window](#input_snapshot_window) | The daily time range (in UTC) during which ElastiCache will begin taking a daily snapshot of your cache cluster. | `string` | `"06:30-07:30"` | no | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [subnets](#input_subnets) | Subnet IDs | `list(string)` | `[]` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [transit_encryption_enabled](#input_transit_encryption_enabled) | Set `true` to enable encryption in transit. Forced `true` if `var.auth_token` is set.
If this is enabled, use the [following guide](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls) to access redis. | `bool` | `true` | no | -| [user_group_ids](#input_user_group_ids) | User Group ID to associate with the replication group | `list(string)` | `null` | no | -| [vpc_id](#input_vpc_id) | VPC ID | `string` | n/a | yes | -| [zone_id](#input_zone_id) | Route53 DNS Zone ID as list of string (0 or 1 items). If empty, no custom DNS name will be published.
If the list contains a single Zone ID, a custom DNS name will be pulished in that zone.
Can also be a plain string, but that use is DEPRECATED because of Terraform issues. | `any` | `[]` | no | - [ingress_cidr_blocks](#ingress_cidr_blocks) | List of IPv4 CIDR ranges to allow in security group ingress.                                                     | `list(string)` | `[]` | no |     - [allowed_security_groups](#allowed_security_groups) | List of security group IDs to allow in security group ingress.                           | `list(string)` | `[]` | no | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | --- | --- | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [alarm_actions](#input_alarm_actions) | Alarm action list | `list(string)` | `[]` | no | +| [alarm_cpu_threshold_percent](#input_alarm_cpu_threshold_percent) | CPU threshold alarm level | `number` | `75` | no | +| [alarm_memory_threshold_bytes](#input_alarm_memory_threshold_bytes) | Ram threshold alarm level | `number` | `10000000` | no | +| [apply_immediately](#input_apply_immediately) | Apply changes immediately | `bool` | `true` | no | | no | +| [at_rest_encryption_enabled](#input_at_rest_encryption_enabled) | Enable encryption at rest | `bool` | `false` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [auth_token](#input_auth_token) | Auth token for password protecting redis, `transit_encryption_enabled` must be set to `true`. Password must be longer than 16 chars | `string` | `null` | no | +| [auto_minor_version_upgrade](#input_auto_minor_version_upgrade) | Specifies whether minor version engine upgrades will be applied automatically to the underlying Cache Cluster instances during the maintenance window. Only supported if the engine version is 6 or higher. | `bool` | `null` | no | +| [automatic_failover_enabled](#input_automatic_failover_enabled) | Automatic failover (Not available for T1/T2 instances) | `bool` | `false` | no | +| [availability_zones](#input_availability_zones) | Availability zone IDs | `list(string)` | `[]` | no | +| [cloudwatch_metric_alarms_enabled](#input_cloudwatch_metric_alarms_enabled) | Boolean flag to enable/disable CloudWatch metrics alarms | `bool` | `false` | no | +| [cluster_mode_enabled](#input_cluster_mode_enabled) | Flag to enable/disable creation of a native redis cluster. `automatic_failover_enabled` must be set to `true`. Only 1 `cluster_mode` block is allowed | `bool` | `false` | no | +| [cluster_mode_num_node_groups](#input_cluster_mode_num_node_groups) | Number of node groups (shards) for this Redis replication group. Changing this number will trigger an online resizing operation before other settings modifications | `number` | `0` | no | +| [cluster_mode_replicas_per_node_group](#input_cluster_mode_replicas_per_node_group) | Number of replica nodes in each node group. Valid values are 0 to 5. Changing this number will force a new resource | `number` | `0` | no | +| [cluster_size](#input_cluster_size) | Number of nodes in cluster. _Ignored when `cluster_mode_enabled` == `true`_ | `number` | `1` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` | 
{
 "additional_tag_map": {},
 "attributes": [],
 "delimiter": null,
 "descriptor_formats": {},
 "enabled": true,
 "environment": null,
 "id_length_limit": null,
 "label_key_case": null,
 "label_order": [],
 "label_value_case": null,
 "labels_as_tags": [
 "unset"
 ],
 "name": null,
 "namespace": null,
 "regex_replace_chars": null,
 "stage": null,
 "tags": {},
 "tenant": null
}
| no | +| [data_tiering_enabled](#input_data_tiering_enabled) | Enables data tiering. Data tiering is only supported for replication groups using the r6gd node type. | `bool` | `false` | no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [description](#input_description) | Description of elasticache replication group | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [dns_subdomain](#input_dns_subdomain) | The subdomain to use for the CNAME record. If not provided then the CNAME record will use var.name. | `string` | `""` | no | + +| [elasticache_subnet_group_name](#input_elasticache_subnet_group_name) | Subnet group name for the ElastiCache instance | `string` | `""` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [engine_version](#input_engine_version) | Redis engine version | `string` | `"4.0.10"` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [family](#input_family) | Redis family | `string` | `"redis4.0"` | no | +| [final_snapshot_identifier](#input_final_snapshot_identifier) | The name of your final node group (shard) snapshot. ElastiCache creates the snapshot from the primary node in the cluster. If omitted, no final snapshot will be made. | `string` | `null` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [instance_type](#input_instance_type) | Elastic cache instance type | `string` | `"cache.t2.micro"` | no | +| [kms_key_id](#input_kms_key_id) | The ARN of the key that you wish to use if encrypting at rest. If not supplied, uses service managed encryption. `at_rest_encryption_enabled` must be set to `true` | `string` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
 "default"
]
| no | +| [log_delivery_configuration](#input_log_delivery_configuration) | The log_delivery_configuration block allows the streaming of Redis SLOWLOG or Redis Engine Log to CloudWatch Logs or Kinesis Data Firehose. Max of 2 blocks. | `list(map(any))` | `[]` | no | +| [maintenance_window](#input_maintenance_window) | Maintenance window | `string` | `"wed:03:00-wed:04:00"` | no | +| [multi_az_enabled](#input_multi_az_enabled) | Multi AZ (Automatic Failover must also be enabled. If Cluster Mode is enabled, Multi AZ is on by default, and this setting is ignored) | `bool` | `false` | no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [notification_topic_arn](#input_notification_topic_arn) | Notification topic arn | `string` | `""` | no | +| [ok_actions](#input_ok_actions) | The list of actions to execute when this alarm transitions into an OK state from any other state. Each action is specified as an Amazon Resource Number (ARN) | `list(string)` | `[]` | no | +| [parameter](#input_parameter) | A list of Redis parameters to apply. Note that parameters may differ from one Redis family to another | 
list(object({
 name = string
 value = string
 }))
| `[]` | no | +| [parameter_group_description](#input_parameter_group_description) | Managed by Terraform | `string` | `null` | no | +| [port](#input_port) | Redis port | `number` | `6379` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [replication_group_id](#input_replication_group_id) | Replication group ID with the following constraints:
A name must contain from 1 to 20 alphanumeric characters or hyphens.
The first character must be a letter.
A name cannot end with a hyphen or contain two consecutive hyphens. | `string` | `""` | no | +| [snapshot_arns](#input_snapshot_arns) | A single-element string list containing an Amazon Resource Name (ARN) of a Redis RDB snapshot file stored in Amazon S3. Example: arn:aws:s3:::my_bucket/snapshot1.rdb | `list(string)` | `[]` | no | +| [snapshot_name](#input_snapshot_name) | The name of a snapshot from which to restore data into the new node group. Changing the snapshot_name forces a new resource. | `string` | `null` | no | +| [snapshot_retention_limit](#input_snapshot_retention_limit) | The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. | `number` | `0` | no | +| [snapshot_window](#input_snapshot_window) | The daily time range (in UTC) during which ElastiCache will begin taking a daily snapshot of your cache cluster. | `string` | `"06:30-07:30"` | no | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [subnets](#input_subnets) | Subnet IDs | `list(string)` | `[]` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [transit_encryption_enabled](#input_transit_encryption_enabled) | Set `true` to enable encryption in transit. Forced `true` if `var.auth_token` is set.
If this is enabled, use the [following guide](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls) to access redis. | `bool` | `true` | no | +| [user_group_ids](#input_user_group_ids) | User Group ID to associate with the replication group | `list(string)` | `null` | no | +| [vpc_id](#input_vpc_id) | VPC ID | `string` | n/a | yes | +| [zone_id](#input_zone_id) | Route53 DNS Zone ID as list of string (0 or 1 items). If empty, no custom DNS name will be published.
If the list contains a single Zone ID, a custom DNS name will be pulished in that zone.
Can also be a plain string, but that use is DEPRECATED because of Terraform issues. | `any` | `[]` | no | +| [ingress_cidr_blocks](#ingress_cidr_blocks) | List of IPv4 CIDR ranges to allow in security group ingress.                                                     |  `list(string)` | `[]` | no |      | +| [allowed_security_groups](#allowed_security_groups) | List of security group IDs to allow in security group ingress.                           |  `list(string)` | `[]` | no | +| [intra_security_group_traffic_enabled](#intra_security_group_traffic_enabled) | Whether to allow traffic between resources inside the database's security group.                           |  `boolean` | `false` | no | + ## Outputs | Name | Description | diff --git a/README_VERSION.md b/README_VERSION.md new file mode 100644 index 00000000..092285b6 --- /dev/null +++ b/README_VERSION.md @@ -0,0 +1,7 @@ +# v1.1.3 + +### What: + +> Fix + +Security Group ingress and egress rules moved to separete resource block. Which fixes the rules getting over wirtten when rules are created outside this module diff --git a/security_group.tf b/security_group.tf index 93f432b8..e4c1931d 100644 --- a/security_group.tf +++ b/security_group.tf @@ -3,21 +3,7 @@ resource "aws_security_group" "redis" { name = "${module.this.id}-redis-sg" description = "Controls access to the Redis Cluster" vpc_id = var.vpc_id - egress { - protocol = "-1" - from_port = 0 - to_port = 0 - cidr_blocks = ["0.0.0.0/0"] - } - ingress { - description = "Allow SGs and cidr to access Redis" - from_port = var.port - to_port = var.port - protocol = "TCP" - cidr_blocks = var.ingress_cidr_blocks - security_groups = var.allowed_security_groups - } tags = merge( module.this.tags, { @@ -26,3 +12,46 @@ resource "aws_security_group" "redis" { ) } +resource "aws_security_group_rule" "ingress_security_groups" { + for_each = toset(var.allowed_security_groups) + + description = "Allow inbound traffic from existing security groups" + type = "ingress" + from_port = var.port + to_port = var.port + protocol = "tcp" + source_security_group_id = each.value + security_group_id = join("", aws_security_group.redis.*.id) +} + +resource "aws_security_group_rule" "traffic_inside_security_group" { + count = var.intra_security_group_traffic_enabled ? 1 : 0 + description = "Allow traffic between members of the Redis security group" + type = "ingress" + from_port = var.port + to_port = var.port + protocol = "tcp" + self = true + security_group_id = join("", aws_security_group.redis.*.id) +} + +resource "aws_security_group_rule" "ingress_cidr_blocks" { + count = length(var.ingress_cidr_blocks) > 0 ? 1 : 0 + description = "Allow inbound traffic from existing CIDR blocks" + type = "ingress" + from_port = var.port + to_port = var.port + protocol = "tcp" + cidr_blocks = var.ingress_cidr_blocks + security_group_id = join("", aws_security_group.redis.*.id) +} + +resource "aws_security_group_rule" "egress" { + description = "Allow outbound traffic" + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = join("", aws_security_group.redis.*.id) +} diff --git a/variables.tf b/variables.tf index 294144ac..3a6f5c20 100644 --- a/variables.tf +++ b/variables.tf @@ -20,6 +20,13 @@ variable "allowed_security_groups" { type = list(string) default = [] } + +variable "intra_security_group_traffic_enabled" { + type = bool + default = false + description = "Whether to allow traffic between resources inside the database's security group." +} + variable "elasticache_subnet_group_name" { type = string description = "Subnet group name for the ElastiCache instance" From a018ec59244965248902f034565b7fd0c868617f Mon Sep 17 00:00:00 2001 From: Mohan Kumar <103643794+mohankumar-studiographene@users.noreply.github.com> Date: Mon, 16 Jun 2025 17:08:24 +0530 Subject: [PATCH 28/28] chore(README_VERSION): typo --- README_VERSION.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_VERSION.md b/README_VERSION.md index 092285b6..2ca11e03 100644 --- a/README_VERSION.md +++ b/README_VERSION.md @@ -1,4 +1,4 @@ -# v1.1.3 +# v1.1.4 ### What: